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CYBER INCIDENT RESPONSE: BRIDGING THE 
GAP BETWEEN CYBERSECURITY AND EMER- 
GENCY MANAGEMENT 


Wednesday, October 30, 2013 

U.S. House of Representatives, 

Committee on Homeland Security, 

Subcommittee on Emergency Preparedness, 

Response, and Communications, and 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Washington, DC. 

The subcommittees met, pursuant to call, at 10:07 a.m., in Room 
311, Cannon House Office Building, Hon. Susan W. Brooks [Chair- 
woman of the Emergency Preparedness, Response, and Commu- 
nications subcommittee] presiding. 

Present from Subcommittee on Emergency Preparedness, Re- 
sponse, and Communications: Representatives Brooks, Palazzo, 
Payne, and Clarke. 

Present from Subcommittee on Cybersecurity, Infrastructure Pro- 
tection, and Security Technologies: Representatives Meehan, 
Clarke, and Horsford. 

Mrs. Brooks. The Subcommittees on Emergency Preparedness, 
Response, and Communications and Cybersecurity, Infrastructure 
Protection and Security Technologies will come to order. 

I would like to welcome our witnesses, everyone in the audience, 
and those who are watching this webcast to our joint hearing today 
on Cyber Incident Response. 

I would like to start out by thanking Chairman Meehan and 
Ranking Member Clarke for working with me and Ranking Mem- 
ber Payne, who we anticipate both of those Members will be here 
shortly, on this important issue. 

I would like to thank our witnesses for their patience as we have 
worked to reschedule this hearing, in addition in the slight delay 
this morning. 

I would also like to thank the staffs who have worked together 
in preparing us for this very important hearing this morning. 

October is Cybersecurity Awareness Month, and I think it is so 
very important that we observe this month in part of our aware- 
ness because it must be our ability to not only protect our networks 
and our critical infrastructure from intrusions, but also, what is 
our ability to respond should an intrusion become successful? After 
all, we do know that the threat of a cyber attack is real and in a 
speech just prior to her resignation former Secretary of Homeland 
Security Janet Napoli tano discussed that threat. She forecasted 

( 1 ) 
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that our country will face a major cyber event that will have a seri- 
ous effect on our lives, our economy, and the everyday functioning 
of our society. 

Now, earlier this past week National Geographic Channel aired 
a program entitled “American Blackout” — a program which I 
watched with some interest on Sunday evening. It explored the cas- 
cading effects of a Nation-wide 10-day power outage caused by a 
cyber attack. For the Members of the committee, if you have not 
seen that I strongly recommend that you watch this show. 

The movie was eye-opening and quite scary and happened to be 
on a topic that I had discussed just recently with Hoosier Power 
Companies in my district just last month. The effects of the black- 
out depicted in this movie caused serious public health and public 
safety issues, including severely impacting the food and water sup- 
ply; the availability of fuel, which we also saw during Hurricane 
Sandy, which just 1 year ago yesterday when that horrific hurri- 
cane came upon our shores; the ability of hospitals to function; the 
ability to access money from ATM machines or to use credit cards; 
and most importantly, the ability to enforce the law and maintain 
civil society. 

Now, I agree with the former Secretary when she noted that we 
have made some great strides in addressing cyber threat, but clear- 
ly more work must be done and must be done quickly. This assess- 
ment that work remains was echoed at a hearing we held in the 
Emergency Preparedness Subcommittee last month. 

The 2013 National Preparedness Report released by FEMA ear- 
lier this year again highlighted States’ concerns about their own cy- 
bersecurity capabilities. The 2013 report noted gains in cybersecu- 
rity at the State level but that the States continue to report that 
cybersecurity is among the lowest of their capabilities. Let me re- 
peat that: It is among the lowest of the States’ capabilities. 

At that hearing California’s homeland security advisor, Mark 
Ghilarducci, noted that cybersecurity is an emerging and evolving 
threat that everybody is still grappling to get their arms around. 
He noted that the Federal Government’s ability to provide guidance 
to States has been rather limited. 

I agree this is not an easy task, but information sharing about 
the threat and actions to take before, during, and after a cyber at- 
tack is critical. I hope that Ms. Stempfiey will tell us about the De- 
partment’s efforts to share information with State and local au- 
thorities including emergency managers, fusion centers, and the 
private sector to help them work to address and elevate the impor- 
tance of this evolving threat; and that I hope that our State and 
local witnesses will also discuss how they share information and co- 
ordinate with relevant officials in their States and localities and 
with the private sector, which, I must note, controls at least 85 per- 
cent of our Nation’s critical infrastructure. We must ensure that 
this coordination is taking place now so we are prepared to respond 
to a cyber incident that will have physical consequences. 

I am also interested in learning today how DHS, working with 
other Federal agencies and departments and exercise participants, 
is working to address the lessons that were learned in the Na- 
tional-level exercise exercised in 2012, which simulated a large- 
scale cyber attack. 
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Just as I have noted the challenges we face in addressing the 
cyber threat, we must also discuss the progress that is being made. 
In my own district I am proud to say that the Indianapolis division 
of Homeland Security has established a cyber defense force to im- 
prove the overall cybersecurity preparedness of the Indianapolis 
metropolitan area, and the State of Indiana has included cyberse- 
curity in its threat and hazard identification and risk assessment, 
or in its own THIRA. 

The National Emergency Management Association is working 
also with Texas A&M to develop cybersecurity awareness training 
programs for emergency managers. Fusion centers are also becom- 
ing much more engaged in cybersecurity. 

States are also taking innovative steps to address the threat. For 
example, Michigan has established the role of a chief security offi- 
cer, which has oversight of both cybersecurity and physical secu- 
rity. 

The National Guard is becoming much more engaged in cyberse- 
curity as well. In Maryland the Air National Guard’s 175th Net- 
work Warfare Squadron is assisting with the development of State 
cybersecurity assessments and has worked with Maryland Emer- 
gency Management on cybersecurity exercises. 

Next month the North American Electric Reliability Corporation, 
or NERC, will hold GridEx 2013, an exercise that will test the elec- 
tricity subsector’s readiness to respond to a cyber incident includ- 
ing physical consequences. 

These are all critically important steps, but as I noted earlier, 
much work remains to ensure we are prepared to respond to a 
cyber attack. 

Chairman McCaul and Chairman Meehan have been working to 
develop thoughtful, effective cybersecurity legislation this Con- 
gress. I am pleased the draft bill that that committee has worked 
on includes provisions addressing cyber incident response and it is 
my hope that today’s hearing will help to further inform that com- 
mittee’s work. 

Before I conclude, I would like to ask unanimous consent to in- 
clude in the record a statement from the National Governors Asso- 
ciation, which provides greater details on steps States are taking 
to enhance their cybersecurity posture. 

[The information follows:] 

Statement of National Governors Association 
October 30, 2013 

On behalf of the Nation’s governors, thank you for the opportunity to comment 
on bridging the gap between cybersecurity and emergency management. Protecting 
the Nation from cyber threats and their potential consequences requires strong part- 
nerships among all levels of government, law enforcement, the military, and the pri- 
vate sector. Over the past several years. Governors have been working to improve 
the cybersecurity posture of their States and to improve State-Federal coordination. 
Based on these efforts and States’ interaction with the Federal Government, we are 
pleased to offer the recommendations below. 

state efforts to address cybersecurity 

Since the terrorist attacks of September 11, 2001, and Hurricane Katrina in 2005, 
National preparedness and response activities have emphasized a “whole commu- 
nity” approach. Despite this progress, State-Federal coordination efforts for cyberse- 
curity are still in their early stages. In the absence of unified Federal guidance, 
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States are moving forward to develop methods, strategies, and partnerships to im- 
prove their cyber resiliency and strengthen capabilities to prepare for, respond to, 
and recover from potential cyber attacks. 

Governors are leading efforts to expand collaboration and drive change at both the 
State and Federal level. This is taking place through initiatives such as the Na- 
tional Governors Association (NGA) Resource Center for State Cybersecurity and 
the Council of Governors. Through these collaborative forums. Governors have iden- 
tified a number of areas where enhanced Federal support and engagement could 
further assist States in this National effort. For instance, the Federal Government 
should: 

• Enhance Federal coordination and consultation with States and recognize that 
Governors have emergency powers and authorities that can benefit the Federal 
Government. 

• Leverage all available resources, such as the National Guard, to support both 
Federal and State cybersecurity missions. 

• Provide flexibility for State investments in cybersecurity through reform of Fed- 
eral grant programs and support for innovative State solutions that leverage ex- 
isting resources such as fusion centers. 

• Clarify Federal statutes, roles, and authorities to address cyber incident re- 
sponse, taking into consideration the role of States and the impact on current 
State laws and reflations. 

• Improve information sharing and State access to Federal cybersecurity re- 
sources, such as those for technical support, education, training, and exercises. 

ENCOURAGING ACTION AND PROMOTING BEST PRACTICES 

Governors’ efforts are focused on the need to improve not just States’ cybersecu- 
rity, but that of the Nation. To help Governors address this challenge, NGA formed 
the Resource Center for State Cybersecurity in 2012. The Resource Center, co- 
chaired by Maryland Governor Martin O’Malley and Michigan Governor Rick Sny- 
der, brings together experts from key State and Federal agencies and the private 
sector to provide strategic and actionable recommendations Governors can use to de- 
velop and implement effective State cybersecurity policies and practices. 

On September 26, 2013, the NGA released Act and Adjust: A Call to Action for 
Governors for Cybersecurity, a paper that provides strategic recommendations Gov- 
ernors can immediately adopt to improve their State’s cybersecurity posture (at- 
tached). NGA also released an electronic dashboard designed to provide Governors 
with an overview of their State’s cybersecurity environment and assist them in mon- 
itoring implementation of the paper’s recommendations. The dashboard is currently 
being pilot tested in Maryland and Michigan in conjunction with the Multi-State In- 
formation Sharing & Analysis Center (MS-ISAC). Through the Resource Center, 
Governors are exploring other vital areas as well, including: 

• The role of fusion centers in collecting and disseminating real-time information 
on cyber threats to State agencies and law enforcement; 

• Enhancing the cybersecurity of energy systems and the electrical grid in coordi- 
nation with utility commissions, owners, and operators at the State level; and 

• Developing a trained and enduring cyber workforce within State government. 

LEVERAGING RESOURCES GOVERNMENT-WIDE 

Identifying innovative solutions to address cybersecurity and secure the Nation 
against the growing cyber threat requires engagement by senior leaders at all levels 
of government. In addition to their work within their respective States, Governors 
also have engaged directly with the Federal Government through the Council of 
Governors (Council). Currently co-chaired by Governor O’Malley and Iowa Governor 
Terry Branstad, the Council brings together 10 Governors and the Secretaries of De- 
fense and Homeland Security to address issues regarding the National Guard and 
homeland defense. 

Since it was formally established in 2010, the Council has served as a valuable 
forum to facilitate coordination between State and Federal military activities, such 
as a 2010 agreement establishing dual-status command authority during major dis- 
asters. This authority was employed during recent events such as Hurricane Sandy 
and the Colorado floods. The Council is now working to turn this commitment to 
collaboration into similar actions to address State-Federal coordination on cyberse- 
curity and the development of National Guard cyber capabilities. 

Governors firmly believe the Guard’s unique status serving both Governors and 
the President and its access to civilian-acquired skillsets makes it an ideal and cost- 
effective resource to address our Nation’s growing cyber vulnerabilities. With the 
flexibility to support both Federal and State-related cyber missions, the Guard can 
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be a force multiplier in support of the Department of Defense, the Department of 
Homeland Security (DHS), the Federal Bureau of Investigation and States. While 
the National Guard’s role in cyhersecurity is still being deliberated, Guard cyber 
units across the country are already demonstrating their unique capabilities includ- 
ing: 

• Serving as a key coordinating hub between various stakeholder groups. — Several 
National Guard cyber units are actively engaged with their Governor’s office. 
State emergency management agencies, State Chief Information Officers and 
other State, local, and Federal officials in the development of State cyber inci- 
dent response plans. Several States have also integrated Guard units within 
their fusion center. 

• Providing key support services in planning, testing, training, and exercises . — 
Guard unit participation is continuing to grow in State and National-level cyher 
exercises such as Cyher Guard, Cyher Storm, and Cyher Shield. Several State 
Guard units also are providing risk assessment and vulnerability testing sup- 
port to State agencies and local critical infrastructure owners and operators. 

• Providing a readily available and highly -trained workforce. — National Guard 
cyber units include personnel from a significant number the Nation’s top cyher- 
security and information technology companies such as Microsoft, Cisco, Sie- 
mens, Intel, GE, Boeing, IBM, and Google. This access provides a unique oppor- 
tunity to leverage and sustain “leading edge” civilian-acquired cyher skillsets 
not readily available or easily built from within the Federal Government. 

Earlier this year. Governors secured the commitment of former U.S. Department 
of Homeland Security Secretary Janet Napolitano and departing U.S. Department 
of Defense Deputy Secretary Ash Carter to work with them to identify new opportu- 
nities to strengthen the State-Federal partnership on cybersecurity and to better le- 
verage existing resources such as the National Guard. This work is on-going, and 
we look forward to providing the committee an update on our progress early next 
year. 


OPPORTUNITIES FOR STATE-FEDERAL ENGAGEMENT 

As the development of Federal legislation to address cyhersecurity continues. Gov- 
ernors urge Congress to consider the following recommendations: 

• Ensure coordination and consultation with States. — Like all disasters, response 
and recovery begins at the State and local level. Federal cyber incident response 
guidance such as the National Cyber Incident Response Plan (NCIRP) must not 
be developed using a Federal-centric approach, but must integrate key State of- 
ficials and consider Governors’ authorities throughout the process. 

• Promote the role of the National Guard to support both Federal and State cyber- 
security missions. — This includes ensuring that the National Guard is consid- 
ered concurrently with active duty forces in any new cyber force structure devel- 
oped by U.S. Cyber Command and the military services. 

• Support State investments in cybersecurity through reform of homeland security 
preparedness grants. — In recent years, decreased funding levels across pre- 
paredness grant programs combined with their current rigid requirements has 
limited States’ ability to address emerging threats, such as cyhersecurity, or 
provide adequate support to fusion centers. 

• Address ambiguities with cyber incident response. — This includes clarif3dng cur- 
rent statutory authorities governing disaster management, such as the Stafford 
Act and the Economy Act. Roles and responsibilities of the various Federal 
agencies with cyhersecurity coordination and operational authority during an 
incident should be better-defined and corresponding guidance to State and local 
authorities (such as the NCIRP) should be updated accordingly. 

• Improve information sharing with States to provide real-time intelligence on 
threats. — Improving existing information-sharing capabilities such as the MS- 
ISAC and State and local fusion centers can further support this effort. DHS 
also can provide more structured and coordinated access to Federal cybersecu- 
rity initiatives such as workforce and training programs. Federal cyhersecurity 
exercises, and forums for public-private partnerships. 

CYBERSECUEITY IS A SHARED RESPONSIBILITY 

Governors recognize the critical need to improve our Nation’s cyhersecurity pos- 
ture. This is an immense challenge that requires an unprecedented level of coordi- 
nation among all levels of government and the private sector. Governors are com- 
mitted to addressing this challenge within their States and are actively seeking to 
partner with their Federal counterparts. As the committee continues to consider the 
legislative path forward for cyhersecurity, NGA stands as a ready resource for inno- 
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vative policy solutions that will both support Governors’ efforts and enhance the 
State-Federal partnership to address our Nation’s most pressing cybersecurity chal- 
lenges. 


Attachment. — NGA Paper 

ACT AND adjust: A CALL TO ACTION FOR GOVERNORS FOR CYBERSECURITY 

September 2013, Thomas MacLellan, Division Director, Homeland Security & Public 
Safety Division, NGA Center for Best Practices 

Cybersecurity remains one of the most significant challenges facing the Nation. 
Although implementing policies and practices that will make State systems and 
data more secure will be an iterative and lengthy process, Governors can take a 
number of actions immediately that will help detect and defend against cyber at- 
tacks occurring today and help deter future attacks. 

Those actions include: 

• Establishing a governance and authority structure for cybersecurity; 

• Conducting risk assessments and allocating resources accordingly; 

• Implementing continuous vulnerability assessments and threat mitigation prac- 
tices; 

• Ensuring that the State complies with current security methodologies and busi- 
ness disciplines in cybersecurity; and 

• Creating a culture of risk awareness. 

By implementing those recommendations immediately, Governors can greatly en- 
hance States’ cybersecurity posture. 

Guiding Principles 

This Call to Action, as well as the work of the NGA Resource Center for State 
Cybersecurity (Resource Center), is guided by a set of core principles: 

• Support Governors. — The work of the Resource Center is singular in its focus 
on supporting Governors’ efforts to improve cybersecurity. The Resource Center 
marks the first large-scale effort exclusively focused on the role of Governors 
in improving cybersecurity. 

• Be Actionable. — The goal of the Resource Center is to provide to Governors rec- 
ommendations and resources that promote actions that reduce risk. 

• Reduce Complexity. — Cybersecurity policy is designed and implemented in a 
complex environment. The Resource Center aims to reduce that complexity by 
looking for common principles and practices that are effective in that environ- 
ment. 

• Protect Privacy. — The recommendations made through the Resource Center aim 
to both improve cybersecurity and protect the privacy, civil rights, and civil lib- 
erties of citizens. 

• Employ Technologically Neutral Solutions. — The recommendations made 
through the Resource Center emphasize nonproprietary, open standards. 

• Focus on the State as Enterprise. — The work of the Resource Center aims to im- 
prove Governors’ understanding of the State as an enterprise including the 
interdependencies among State agencies; between the public and private sector; 
and regionally across State boundaries. 

• Promote Flexible Federalism. — To the extent possible, the Resource Center em- 
phasizes the benefits of and opportunities for flexibility within Federal pro- 
grams to allow for tailored State solutions. 

• Rely on Evidence-Based Practices. — The Resource Center makes recommenda- 
tions that build on evidence-based practices. 

• Use and Generate Metrics. — The Resource Center promotes recommendations 
that use dynamic performance metrics to manage and improve State processes 
and practices. 

• Promote the Use of Incentives. — The Resource Center makes recommendations 
that promote the use of incentives to improve cybersecurity practices in a State. 

Immediate Actions to Protect States 

Domestic and international actors are launching a significant number of cyber at- 
tacks against States. Although many of the actions necessary to reduce the Nation’s 
vulnerabilities to cyber attacks require long-term structural improvements and busi- 
ness redesign, Governors can take actions now that can immediately improve their 
State’s cybersecurity posture. Implementation of the actions described below will 
help to ensure strong governance and oversight, a baseline of cybersecurity capabili- 
ties, and quicker identification of attacks and threats; it also will help to improve 
basic cybersecurity practices. 
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Establish a governance structure for cybersecurity. — Because State systems and 
networks are interconnected, developing a robust cybersecurity posture will require 
an enterprise-wide approach. To that end, Governors need to ensure that they have 
a strong State-wide governance structure with some degree of central authority that 
provides a framework to prepare for, respond to, and prevent cyher attacks. Several 
recent attacks reveal that States which fail to put in place a strong governance 
structure are at a distinct disadvantage. 

For many States, chief information security officers (CISOs), who are responsible 
for developing and carrying out information technology (IT) security policies, have 
only limited responsibility and authority over State-wide cyber networks. CISOs can 
operate in federated or decentralized environments where technology and security 
resources are dispersed across various agencies and departments. In addition, the 
sharing of cyber threat information with the private sector and local governments 
is handled by State homeland security agencies, further complicating the overall cy- 
bersecurity governance structure. 

According to a survey conducted by Deloitte for the National Association of State 
Chief Information Officers (NASCIO), 56 percent of State CISOs indicate that they 
have authority over only their executive branch agencies, departments, and offices. 
Although most States have a CISO, if they do not have a visible agency-level secu- 
rity posture, they can encounter obstacles to implementing an effective cybersecurity 
program. Among the elements of an effective program are enforcement mechanisms 
to ensure compliance with security policies and audit findings. States without gov- 
ernance structures to build and operate effective programs will be limited in their 
ability to identify an on-going cyber attacks and respond in a coordinated way. 

Governors can grant their chief information officers (CIOs) or CISOs the authority 
to develop and steer a coordinated governance structure (for example, a task force, 
commission, or advisory body) that can greatly improve coordination and awareness 
across agencies that operate State-wide cyber networks. Such an approach also 
helps enable the CIO or CISO to take actions to prevent or mitigate damage in the 
event of a cyber breach. 

Michigan has created a centralized security department run by a chief security 
officer (CSO) that brings together both physical security and cybersecurity. Direc- 
tors, managers, and employees within each agency coordinate through the central- 
ized governance structure to focus on each agency’s need for both physical security 
and cybersecurity. Governance of that type is especially important during an inci- 
dent or a disaster. The approach allows the CSO and CIO to work closely to manage 
the State’s cyber networks and infrastructure and to ensure that effective govern- 
ance practices are in place. 

Although a central authority is essential, it does not obviate the importance of col- 
laboration among local governments, nongovernmental organizations, and the pri- 
vate sector. Those relationships are essential to understanding the culture, oper- 
ations, and business practices of various agencies and organizations with cyber as- 
sets within the State. In Michigan, for example, in addition to dedicated and full- 
time State employees in the Office of Cybersecurity, a risk management team 
leverages many resources around the State to gather information and resolve an in- 
cident efficiently and effectively. 

Minnesota is another example of a State that adopted a governance framework 
that stresses teamwork and communication between a centralized information tech- 
nology organization and stakeholders. The State CIO works collaboratively with the 
Governor, the Technology Advisory Committee, and other agency leaders. Minnesota 
also has several governing bodies that have an agency CIO, providing a direct link 
to the State CIO and operational decisions made at the different agency team lev- 
els.2 

Recognizing the need to foster collaboration at all levels of government and with 
the private sector, California recently created the California Cybersecurity Task 
Force. The task force focuses on sharing information to improve the security of Gov- 
ernment and private-sector IT assets.® 

Conduct risk assessments and allocate resources accordingly. — Governors and 
other key State actors need a comprehensive understanding of the risk and threat 


1 “State Governments at Risk: A Call for Collaboration and Compliance,” Deloitte and the Na- 
tional Association of State Chief Information Officers, October 26, 2012, accessed March 10, 
2013, http:! ! www.deloitte.com ! assets / Dcom-UnitedStates / Local%20Assets i Documents lAERS / 
us aers nascio% 20Cybersecurity%20Study 10192012.pdf 10. 

^“State of Minnesota IT Governance Framework,” http: II mn.gov ! oet (images j 

StateofMinnesotaITGovernanceFramework.pdf (June 2012). 

® “California Launches Cybersecurity Task Force,” http: II www.govtech.coml security ( 
California-Launches-Cybersecurity-Task-Force.html (May 17, 2013). 
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landscape to make accurate and timely decisions when allocating scarce resources. 
Without a comprehensive understanding of the risks, including the interdepend- 
encies among critical assets, States are vulnerable to interruptions in business oper- 
ations as well as financial and data losses. To gain this awareness, States must de- 
velop security strategies and business practices by conducting risk assessments that 
identify information assets, model different threats to those assets, and allow for 
planning to protect against those threats.^ 

In addition to establishing sound business practices and using existing resources. 
States also must conduct hands-on activities and exercises as a part of their assess- 
ments. Those practices include regular penetration testing and vulnerability scan- 
ning and should be referenced in security policies. States can take advantage of re- 
sources from Federal and private entities to conduct those activities. Once an inde- 
pendent State-wide assessment has been conducted. Governors can make necessary 
decisions on where scarce resources should be allocated to prevent the loss of essen- 
tial information and resources and to protect critical infrastructure and assets. The 
initial assessment also will help determine the frequency of such assessments in the 
future, based on the risk profile of agencies. As an example, agencies with sensitive 
citizen data might require annual assessments and quarterly follow-up in their cor- 
rective action plan. 

Additionally, Governors and their senior staff who have appropriate security 
clearances should receive regular classified cybersecurity threat briefings. The De- 
partment of Homeland Security (DHS) can assist States in planning these briefings. 

Implement continuous vulnerability assessments and threat mitigation practices . — 
Consistently monitoring threats and vulnerabilities will help Governors proactively 
defend cyber networks. Every day. States are exposed to phishing scams, malware, 
denial-of-service attacks, and other common tactics employed by cyber attackers. 
Governors must ensure that mission-critical systems are equipped with technologies 
and have implemented business practices that will identify potential threats, track 
all stages of cyber attacks in real time, and offer mitigation techniques and options 
for any resulting loss or damage. 

Maryland leverages the cybersecurity capabilities of the Maryland Air National 
Guard 175th Network Warfare Squadron to support its cybersecurity assessments. 
State agencies participate in collaborative web penetration training exercises with 
the Maryland Air Guard Squadron. The exercises that feature simulated attacks 
from malicious outsiders or insidious insiders are useful in evaluating the security 
of selected State websites and portals. Security issues uncovered through the pene- 
tration tests lead to technical and procedural countermeasures to reduce risks. The 
Guard also provides network vulnerability assessment services to various State 
agencies while, in return, it receives beneficial training for the squadron’s members. 
A number of other States have similar practices in place. 

The Multi-State Information Sharing and Analysis Center (MS-ISAC) has been 
designated by DHS as a key resource for cyber threat prevention, protection, re- 
sponse, and recovery for the Nation’s State, local, territorial, and 'Tribal govern- 
ments. Through its state-of-the-art Security Operations Center, available 24 hours 
a day, 7 days a week, the MS-ISAC serves as a central resource for situational 
awareness and incident response. The MS-ISAC also provides State, local. Tribal, 
and territorial governments with managed security services, which are outsourced 
security operations that include on-going monitoring of networks and firewalls for 
intrusions. 

Another related resource available to State and local governments is DHS’s newly- 
launched Continuous Diagnostics and Mitigation (CDM) program. The CDM pro- 
gram at the Federal level works by expanding deplo 3 unent of automated network 
sensors that feed data about an agency’s cybersecurity vulnerabilities into a continu- 
ously updated dashboard. To support States in improving their capabilities to pre- 
vent and detect intrusions, the CDM has a blanket purchasing agreement that re- 
duces the cost to States of purchasing tools and services that enhance their cyberse- 
curity. It is important to note that such purchases are most effective when coordi- 
nated with MS-ISAC’s managed security services so as to maintain collective situa- 
tional awareness across State and local governments. 

Ensure that your State complies with current security methodologies and business 
disciplines in cybersecurity. — States can turn to two industry standards for a base- 
line of effective cybersecurity practices. First, the Council on CyberSecurity’s Crit- 
ical Controls for Effective Cyber Defense is an industry standard that provides States 
with a security framework that can strengthen their cyber defenses and ultimately 
protect information, infrastructure, and critical assets. Compliance with that stand- 


"^“5 Steps to Cybersecurity Risk Assessment” http: I / www.govtech.com I security 1 5-Steps-to- 
Cyber-Security.html?page=l (June 24, 2010). 
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ard will provide a baseline of defense, deter a significant number of attacks, and 
help minimize compromises, recovery, and costs. The controls are based upon five 
guiding principles: Using evidence-based practices to build effective defenses, assign- 
ing priorities risk reduction and protection actions, establishing a common language 
that measures the effectiveness of security, continuous monitoring, and automating 
defenses.® The controls also identify key network components and how to secure 
them. 

The second standard is the Information Technology Infrastructure Library (ITIL). 
An ITIL is a set of practices for information technology service management (ITSM) 
that are designed to align information technology (IT) with core business require- 
ments. The latest editions of ITIL, which were published in July 2011, form the core 
guidance of best management practices and can greatly strengthen States’ IT prac- 
tices. The ITIL has been adopted by companies in many private-sector industries, 
including banking, retail services, technology, and entertainment. For States, an 
ITIL will help ensure that States’ IT assets correlate with their critical assets.® 

Create a culture of risk awareness . — The best hrewalls and most advanced 
antivirus software cannot deter a cyber attack if the individuals using a network 
are either careless or inattentive to basic security practices. The strongest door and 
most secure lock will not keep a burglar out if the door is left open or unlocked. 

Governors have the opportunity to promote a culture of cybersecurity awareness 
that will help to minimize the likelihood of a successful cyber attack. Building a 
strong cybersecurity culture means making individuals aware of the many risks and 
on-going threats facing their networks. Those individuals must understand the po- 
tential negative implications of their activities or inattentiveness. To develop a 
strong cybersecurity culture, focus should be put on increasing awareness, setting 
appropriate expectations, and influencing day-to-day security practices of end-users. 
Awareness can be created by including relevant training and content in the orienta- 
tion process of new staff as well as annual review of current staff. Expectations 
about users’ behaviors can also be set by adding cybersecurity components to job re- 
sponsibilities. 

However, creating a culture of awareness will be an on-going process that will re- 
quire constant attention and on-going training. Governors have the opportunity to 
use the bully pulpit to make cybersecurity the responsibility of all, including ordi- 
nary citizens. In Delaware, State employees conduct cybersecurity presentations for 
elementary school students to reinforce the importance of internet safety practices. 
The State also hosts video and poster contests that encourage the public to create 
materials that promote cybersecurity awareness.^ 

Effective awareness training and education for end-users is recognized as the sin- 
gle most effective factor in preventing security breaches and data losses. States such 
as Michigan have launched security awareness training for all State employees and 
have posted on-line guides that are available to the public with the goal of reducing 
risk.® More than 50,000 users and partners are currently enrolled in Michigan’s 
training program, an on-line interactive program consisting of a dozen 10-minute 
lessons. Other organizations, such as the MS-ISAC, also offer training resources 
that are readily available on-line. 

Michigan also has recently launched a research, test, training, and evaluation fa- 
cility for cybersecurity and cyberdefense. In partnership with State universities, the 
private sector, and State and local governments. Merit Network Inc., a 501(c)(3) 
nonprofit organization, built and developed the state-of-the-art center to further ad- 
vance cybersecurity training in Michigan. A wide variety of course offerings includes 
certihcations in incident handling, disaster recovery, forensics, and wireless secu- 
rity. Dozens of technical staff have already completed training and received certih- 
cations. 

In addition to offering training. States like Maryland conduct table-top exercises 
to raise the awareness and response capabilities of key State actors. Maryland, 
through the State’s Emergency Management Administration (MEMA), facilitated an 
initial cabinet-level table-top exercise in which cybersecurity and continuity of oper- 
ations awareness and readiness were assessed. In addition to MEMA, DHS and the 
National Security Agency Cyber Command assisted in hosting this exercise. 


®“CSIS: 20 Critical Security Controls,” http: ! t www.sans.org I critical-security-controls ! 
guidelines.php. 

®‘TTIL: The Basics,” http: j I www.best-management-practice.coml gempdf! ITIL The Ba- 

sics.pdf. 

"^See http:! j www.dti.delaware.gov linforniation I cybersecurity, shtml. 

® See State of Michigan Security Office website. 
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The Path Forward 

The actions described above are a first step for Governors to improve cybersecu- 
rity for State-owned and -operated systems. However, a secure cybersecurity fabric 
will require an enterprise-wide approach that includes coordination and partner- 
ships with critical infrastructure owners and operators, private industry, and the 
public. 

Over the course of the next year, the NGA Resource Center for State Cybersecu- 
rity will issue a series of reports focusing on critical areas for mid- to long-term ac- 
tions Governors can take to strengthen their States’ cyber posture. Those areas in- 
clude improving coordination between State and Federal governments, leveraging 
State fusion centers to respond to cyber threats, enhancing the cybersecurity of crit- 
ical energy systems and infrastructure, and developing a skilled cybersecurity work- 
force. 

In addition to the work of the Resource Center, NGA also is leading efforts 
through the Council of Governors to collaborate with the Departments of Defense 
and Homeland Security on how the National Guard could be used to better protect 
both State and Federal networks. The National Guard’s unique role serving Gov- 
ernors and the President, combined with its ability to attract and retain individuals 
who have full-time employment in IT and related fields, make it an ideal solution 
to help address the shortage of highly-skilled personnel necessary to protect critical 
networks and systems. 

Across the country, several States have established National Guard cyber capa- 
bilities that are closely aligned with civilian agencies and coordinate regularly with 
public utility commissions, owners and operators of critical infrastructure, and other 
public and private-sector partners. 

The NGA Resource Center for State Cybersecurity is made possible through the gen- 
erous support from our grant makers, including the American Gas Association, Citi, 
Deloitte, Edison Electric Institute, Good Technology, Hewlett-Packard, IBM, Nor- 
throp Grumman, Nuclear Energy Institute, Symantec, and VMware. 

Mrs. Brooks. With that, I look forward to hearing from our dis- 
tinguished panel of witnesses. 

The Chairwoman now will recognize the gentlelady from New 
York, Ms. Clarke, for any opening statement she may have. 

Ms. Clarke. I thank Chairwoman Brooks and Ranking Member 
Payne as well as Chairman Meehan for holding today’s joint sub- 
committee hearing. 

We all know that cybersecurity is a matter of National, economic, 
and societal importance. Present-day attacks on the Nation’s com- 
puter systems do not simply damage an isolated machine or dis- 
rupt a single enterprise system, but current attacks target infra- 
structure that is integral to the economy. National defense, and 
daily life. 

Computer networks have joined food, water, transportation, and 
energy as critical resources for the functioning of the National 
economy. When one of these key cyber infrastructure systems is at- 
tacked, the same consequences exist for a natural disaster or ter- 
rorist attack. 

National or local resources must be deployed. Decisions are made 
to determine where to deploy resources. The question is: Who 
makes these decisions? 

The data required to make and monitor the decisions and the lo- 
cation of available knowledge to drive them may sometimes be un- 
known, unavailable, or both. Indeed, computer networks are the 
central nervous system of our National infrastructure and the 
backbone of emergency management is a robust cyber infrastruc- 
ture. These systems enable emergency management agencies to im- 
plement comprehensive approaches to natural disasters, terrorist 
attacks, and law enforcement issues. 



11 


Mr. Payne has introduced a bill, the SMART Grid Study Act, 
that will give a fuller picture of the smart grid’s role and our reli- 
ance on it, especially during an event where emergency manage- 
ment response is key to our resilience. I am glad to see the strong 
support that the National Electrical Manufacturers have given this 
bill and I especially look forward to their testimony today. 

There is a general lack of understanding about how to describe 
and assess the complex and dynamic nature of emergency manage- 
ment tasks in relation to cybersecurity concerns. There are many 
issues involving knowledge integration and how to help managers 
improve emergency management task performance. 

Ever since the first computer virus hit the internet it has been 
apparent that attacks can spread rapidly. Just as society has bene- 
fited from the nearly infinite connections of devices and people 
through the U.S. cyber infrastructure, so has malicious parties 
with the intent of taking advantage of this connectivity to launch 
destructive attacks. 

We must find a way to develop tools that we can use to improve 
emergency management successes through effective handling, cyber 
complexity, cyber knowledge, and cyber integration at the ground 
level of our first responders. 

Madam Chairwoman, I look forward to today’s testimony and I 
yield back. 

[The statement of Ranking Member Clarke follows:] 

Statement of Ranking Member Yvette D. Clarke 

We all know that cybersecurity is a matter of National, economic, and societal im- 
portance. Present-day attacks on the Nation’s computer systems do not simply dam- 
age an isolated machine or disrupt a single enterprise system, but current attacks 
target infrastructure that is integral to the economy. National defense, and daily 
life. 

Computer networks have joined food, water, transportation, and energy as critical 
resources for the functioning of the National economy. When one of these key cyber 
infrastructure systems is attacked, the same consequences exist for a natural dis- 
aster or terrorist attack. 

National or local resources must be deployed. Decisions are made to determine 
where to deploy resources. The question is: Who makes these decisions? The data 
required to make and monitor the decisions, and the location of available knowledge 
to drive them may sometimes be unknown, unavailable, or both. 

Indeed, computer networks are the “central nervous system” of our National infra- 
structure, and the backbone of emergency management is a robust cyber infrastruc- 
ture. These systems enable emergency management agencies to implement com- 
prehensive approaches to natural disasters, terrorist attacks, and law enforcement 
issues. 

Mr. Payne has introduced a bill, the Smart Grid Study Act, that will give a fuller 
picture of the smart grid’s role and our reliance on it, especially during an event 
where emergency management response is the key to our resilience. I’m glad to see 
the strong support that the National Electrical Manufacturers have given this bill, 
and I especially look forward to their testimony today. 

There is a general lack of understanding about how to describe and assess the 
complex and dynamic nature of emergency management tasks in relation to cyberse- 
curity concerns. And there are many issues involving knowledge integration and 
how it helps managers improve emergency management task performance. Ever 
since the first computer virus hit the internet, it has been apparent that attacks 
can spread rapidly. 

Just as society has benefited from the nearly infinite connections of devices and 
people through the U.S. cyber infrastructure, so have malicious parties with the in- 
tent of taking advantage of this connectivity to launch destructive attacks. 

We must find a way to develop tools that we can use to improve Emergency Man- 
agement successes through effectively handling cyber complexity, cyber knowledge, 
and cyber integration at the ground level for our first responders. 
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Mrs. Brooks. Thank you. 

I thank the Ranking Member of the Subcommittee on Cybersecu- 
rity, Infrastructure Protection, and Security Technologies and I 
now turn to the Ranking Member for the Emergency Preparedness, 
Response, and Communications, the gentleman from New Jersey, 
Mr. Payne, for any opening statements. 

Mr. Payne. Thank you. Madam Chairwoman. Let me apologize 
for my tardiness, but Amtrak didn’t cooperate this morning, so I 
apologize for that. 

I would like to thank Chairwoman Brooks and Chairman Mee- 
han for calling this hearing today. 

Yesterday marked the 1-year anniversary of Super Storm Sandy, 
which devastated communities all along the Eastern Coast, espe- 
cially in my home State of New Jersey. Although the people of New 
Jersey, with a lot of help from the Federal Government, have 
begun the long effort to rebuild what was lost, much work remains. 
I know that I am not alone when I say that the people affected by 
Hurricane Sandy can be sure that members of this panel will con- 
tinue to work to make sure that the communities are rebuilt and 
the lessons learned are incorporated into future disaster plans. 

With that, I will turn to the topic of today’s hearing, responding 
to cyber attack. Last month the Subcommittee on Emergency Pre- 
paredness, Response, and Communications held a hearing review- 
ing the findings of the Federal Emergency Management Agency’s 
2013 National Preparedness Report. For the second year in a row. 
States indicated that of the 31 core capabilities, cybersecurity is 
one of the capabilities about which they are least confident. 

The threats posed by a cyber attack are not new, but the impact 
of a cyber attack becomes more grave as every aspect of Govern- 
ment and the private sector become more reliant on cyber tech- 
nologies. For example, communications essential to an effective 
emergency response, from the emergency alert system to E-911 
and eventually FirstNet, all are vulnerable to cyber attack. The 
data networks and computer systems used to coordinate an effi- 
cient response to ensure that adequate resources are deployed to 
the appropriate locations are similarly vulnerable to a cyber 
breach. 

A cyber attack on any of these systems could severely undercut 
Federal, State, and local abilities to respond to disasters effectively. 
Moreover, we have seen a significant increase in cyber threats to 
our critical infrastructure. 

We know that disasters like Super Storm Sandy can wreak havoc 
on our power systems but rarely consider the harm that a mali- 
cious cyber attack could do to our electrical grid. Accordingly, I 
have introduced the SMART Grid Study Act, which will provide a 
comprehensive assessment of actions necessary to expand and 
strengthen the capabilities of our electrical power systems to pre- 
pare for and respond to, mitigate, and recover from a natural dis- 
aster or cyber attack to the electric grid. My legislation will go a 
long way to provide sector-specific awareness of cyber 
vulnerabilities and how to address them. 

We must help State governments undertake similar efforts to un- 
derstand the cyber threats posed to their networks and how to ad- 
dress them. It is no secret that a lack of funding has contributed 
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to the lack of confidence States have in their cybersecurity capabili- 
ties. I would be interested in learning how cuts to homeland secu- 
rity grant funding since 2011 has affected States’ cybersecurity ef- 
forts. 

I have also heard that States have struggled to implement gov- 
erning structure for cybersecurity and that finding a workforce 
with the appropriate training has proven difficult. So I would be 
interested to learn how the Department of Homeland Security is 
helping States identify best practices for an effective cybersecurity 
governance structure and improve training for State cybersecurity 
workforces. 

I look forward to learning more about how State emergency man- 
agers are working with State chief information officers to under- 
stand the role each play in responding to a cyber incident. 

I want to thank the witnesses for being here today and I look for- 
ward to their testimony. 

Madam Chairwoman, I yield back the balance of my time. 

[The statement of Ranking Member Payne follows:] 

Statement of Ranking Member Donald M. Payne, Jr. 

October 30, 2013 

Yesterday marked the 1-year anniversary of Super Storm Sandy, which dev- 
astated communities all along the East Coast, and especially in my home State of 
New Jersey. Although the people of New Jersey — with a lot of help from the Federal 
Government — have begun the long effort to rebuild what was lost, much work re- 
mains. 

I know I am not alone when I say that the people affected by Hurricane Sandy 
can be sure that members of this panel will continue to work to make sure that 
the communities are rebuilt and the lessons learned are incorporated into future 
disaster plans. 

With that, I will turn to the topic of today’s hearing: Responding to a cyber attack. 
Last month, the Subcommittee on Emergency Preparedness, Response, and Commu- 
nications held a hearing reviewing the findings of the Federal Emergency Manage- 
ment Agency’s 2013 National Preparedness Report. For the second year in a row. 
States indicated that — of the 31 core capabilities — cybersecurity is one of the capa- 
bilities about which they are least confident. 

The threats posed by a cyber attack are not new. But the impact of a cyber attack 
becomes more grave as every aspect of Government and the private sector become 
more reliant on cyber technologies. For example, communications essential to an ef- 
fective emergency response, from the Emergency Alert System, to E9-1-1, and even- 
tually FirstNet, are all vulnerable to a cyber attack. 

The data networks and computer systems used to coordinate an efficient response 
and ensure that adequate resources are deployed to the appropriate location are 
similarly vulnerable to a cyber breach. A cyber attack on any of these systems could 
severely undercut Federal, State, and local abilities to respond to disasters effec- 
tively. 

Moreover, we have seen a significant increase in cyber threats to our critical in- 
frastructure. We know that disasters like Super Storm Sandy can wreak havoc on 
our power systems but we rarely consider the harm that a malicious cyber attack 
could do to our electric grid. 

Accordingly, I have introduced the SMART Grid Act, which would provide for a 
comprehensive assessment of actions necessary to expand and strengthen the capa- 
bilities of the electrical power system to prepare for, respond to, mitigate, and re- 
cover from a natural disaster or cyber attack to the electric grid. 

My le^slation will go a long way to provide sector-specific awareness of cyber 
vulnerabilities and how to address them. We must help State governments under- 
take similar efforts to understand the cyber threats posed to their networks and 
how to address them. It is no secret that a lack of funding has contributed to the 
lack of confidence States have in their cybersecurity capabilities. 

I will be interested in learning how cuts to Homeland Security Grant funding 
since 2011 have affected State cybersecurity efforts. I have also heard that States 
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have struggled to implement a governance structure for cybersecurity and that find- 
ing a workforce with the appropriate training has proven difficult. 

So I will be interested to learn how the Department of Homeland Security is help- 
ing States identify best practices for an effective cybersecurity governance structure 
and improve training for State cybersecurity workforces. I look forward to learning 
more about how State Emergency Managers are working with State Chief Informa- 
tion Officers to understand the role each play in responding to a cyber incident. 

Mrs. Brooks. Thank you. 

Other Members of the subcommittee are reminded that opening 
statements may be submitted for the record. 

[The statement of Ranking Member Thompson follows:] 

Statement of Ranking Member Bennie G. Thompson 
October 30, 2013 

In 2010, former White House Counterterrorism Advisor Richard Clarke stated 
that this country’s lack of preparation for a cyber attack could lead to a breakdown 
in our critical infrastructure system that would be like an “electronic Pearl Harbor.” 
While some may consider his assessment a bit exaggerated, I think we would do 
well to remember it as we begin today’s hearing. 

We should also recall that in the 112th Congress, this committee marked up cy- 
bersecurity legislation. Unfortunately, the Republican leadership of the House did 
not allow that legislation to come to the floor of the House. In January, the Presi- 
dent issued an Executive Order requiring certain basic steps that will improve this 
Nation’s ability to protect and defend against cyber attacks. 

While I applaud the President’s efforts, I must point out that an Executive Order 
cannot expand existing legal authorities. In May of this year, the Department of 
Homeland Security testified before this committee that the “United States confronts 
a dangerous combination of known and unknown vulnerabilities in cyberspace.” 
DHS also told us the Department processed approximately 190,000 cyber incidents 
involving Federal agencies, critical infrastructure, and the Department’s industry 
partners — a 68 percent increase from 2011. 

Mr. Chairman, I think that we should all have concern about cyber attacks on 
critical infrastructure — especially attacks that could disable the electric grid. For 
most of us, spending a day or two without electricity is an inconvenience. For others, 
it can be a matter of life or death. That is why I am pleased that Rep. Payne, Jr. 
introduced H.R. 2962, the SMART Grid Study Act. If enacted, the bill will require 
a comprehensive study to examine the construction, job creation, energy savings, 
and environmental protections associated with fully upgrading to a SMART Grid 
System. The information gathered in the study may help us reduce the frequency 
and severity of outages during disaster events. I urge my colleagues to support this 
bill. 

Still, there is more to be done. We cannot begin to address the current threats 
or anticipate future vulnerabilities if we have not invested in the kind of education 
and training necessary to develop the next generation of cyber professionals. Fed- 
eral, State, and local governments and the private sector are each vulnerable to 
cyber attacks. While the threats from and sophistication of hackers continues to 
grow, initiatives to address this mutual vulnerability must be comprehensive and 
coordinated. This country’s history has repeatedly shown that a shared commitment 
to a common goal is necessary to achieve progress — from bringing electricity to the 
Nation to walking on the moon. Today, the same kind of commitment and collabora- 
tion is necessary to address the cyber threat. 

Like every previous movement that resulted in progress, this first step must be 
education. That is why I am pleased that yesterday, this committee marked up Rep. 
Clarke’s bill, H.R. 3107, the Homeland Security Cybersecurity Boots-on-the-Ground 
Act. This bill will help foster the development of a National security workforce capa- 
ble of meeting current and future cybersecurity challenges, and it will outline how 
DHS can improve its recruitment and retention of cybersecurity professionals. 

Mr. Chairman, I urge this committee to continue to put forward the kind of legis- 
lation that will help this Nation resolve our known vulnerabilities. More than any 
other committee, we must be on the forefront of proposing innovations and pushing 
forward common-sense solutions. 
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Mrs. Brooks. We are pleased to have a very distinguished panel 
before us today on this important topic. So with that, I will begin 
the introductions of our panelists. 

Ms. Bobbie Stempfley is the acting assistant secretary of the Of- 
fice of Cybersecurity and Communications, where she plays a lead- 
ing role in developing the strategic direction for CS&C and its five 
divisions. Ms. Stempfley previously served as the deputy assistant 
secretary for CS&C and as director of the National Cybersecurity 
Division, a legacy CS&C division. Prior to her work at CS&S, Ms. 
Stempfley served as the chief information officer for the Defense 
Information Systems Agency. 

Next on our panel is Mr. Charley English, who was appointed di- 
rector of the Georgia Emergency Management Agency/Homeland 
Security in February of 2006. He has served in the agency since 
1996. He began his career in public service as a local police officer 
in 1980. 

Other current responsibilities include serving as the president of 
the national Emergency Management Association, chair of the Gov- 
ernor’s Commission on 9-1-1 Modernization, and State point of 
contact for the Nation-wide Public Safety Broadband Network. He 
earned a master’s degree in homeland defense and security from 
the Naval Postgraduate School in 2004. 

I now will yield to the gentleman from Mississippi, Ranking 
Member of our subcommittee, or I am sorry, vice chair of our sub- 
committee, Mr. Palazzo, to introduce our next witness. 

Mr. Palazzo. Thank you. Madam Chairwoman. 

It is my pleasure to introduce Dr. Craig Orgeron. Dr. Orgeron is 
the chief information officer and executive director of the State of 
Mississippi’s Department of Information Technology Services. He 
also has the honor of serving as the president of the National Asso- 
ciation of State Chief Information Officers. 

Dr. Orgeron has over 24 years of information technology experi- 
ence in both the private sector and the Federal and State level of 
the public sector. He began his career as a communications com- 
puter systems officer in the United States Air Force, serving from 
1988 to 1992. 

Dr. Orgeron holds a bachelor’s degree in management informa- 
tion systems, a master’s degree and a doctorate in public policy and 
administration from Mississippi State University. Dr. Orgeron is a 
certified public manager and a graduate of the John C. Stennis 
State Executive Development Institute as well as the Institute of 
International Digital Government Research and the Harvard Uni- 
versity John F. Kennedy School of Government executive education 
series “Leadership for a Networked World.” 

Thank you. Dr. Orgeron, for being here today, and I look forward 
to hearing your testimony. 

I yield back. 

Mrs. Brooks. Thank you. 

Next up is Mr. Mike Sena, who is the director of the Northern 
California Regional Intelligence Center and serves as president of 
the National Fusion Center Association. He has served in law en- 
forcement for nearly 20 years, including the California Bureau of 
Investigation Intelligence, the California Bureau of Narcotics En- 
forcement, and the California Department of Alcoholic Beverage 
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Control. Mr. Sena received his bachelor of arts degree in criminal 
justice from California State University, San Bernardino. 

I now recognize the gentleman from New Jersey, Ranking Mem- 
ber Payne, to introduce our next witness. 

Mr. Payne. Thank you. Madam Chairwoman. 

Paul Molitor serves as the assistant vice president of smart grid 
and special projects for the National Electrical Manufacturers As- 
sociation. For 450 member companies of NEMA, he is responsible 
for monitoring the National smart grid effort and interfacing with 
electrical utilities, manufacturers. Federal agencies, and the U.S. 
Congress. 

Paul was the first plenary secretary of the NIST Smart Grid 
Interoperability Panel, is active in the SGIP cybersecurity and 
internet protocol working groups and the International Electronical 
Commission Strategy Group 3 on the smart grid. 

Welcome, sir. 

Say that fast three times. 

Mrs. Brooks. The witnesses’ full written statements — I want to 
thank you all for your written statements — they will appear in the 
record. Just as a reminder with the lighting system, you each will 
have 5 minutes and when you get to 1 minute you will see the yel- 
low light and then the red light when your time is up. 

So I will now recognize Ms. Stempfley for her 5 minutes. 

STATEMENT OF ROBERTA STEMPFLEY, ACTING ASSISTANT 

SECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICA- 
TIONS, NATIONAL PROTECTION AND PROGRAMS DIREC- 
TORATE, U.S. DEPARTMENT OF HOMELAND SECURITY 

Ms. Stempfley. Thank you very much. Chairwoman Brooks, 
Chairman Meehan, Ranking Members Payne and Clarke, and dis- 
tinguished Members of the committee. It certainly is a privilege to 
appear before you today to discuss the Department of Homeland 
Security’s coordination with State, local. Tribal, and territorial 
emergency managers on cybersecurity issues. 

As the Chairwoman pointed out, it is National Cybersecurity 
Awareness Month. In fact, it is the 10th anniversary of the begin- 
ning of National Cybersecurity Awareness Month. This week is an 
important week for us because we also transition in November to 
National Critical Infrastructure Security and Resilience Month, 
further demonstrating the alliance — the integration and necessary 
responsibility for looking at cyber and physical issues in a cohesive 
and coherent manner. 

This month of October is the month where we get to further en- 
gage in public and private-sector stakeholder conversations about 
how to create safe, secure, and resilient cyber environment. Every- 
one has a role to play in cybersecurity and I am pleased to discuss 
the Department’s efforts to engage State and local emergency man- 
agers as they build cybersecurity resilience into the networks and 
systems which they depend on in a daily basis. 

America’s cybersecurity is inextricably linked to our National 
economic viability. IT systems are interdependent, interconnected, 
and critical to our daily lives, from communications, travel, 
powering our homes, running our economy, and obtaining Govern- 
ment services. 
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DHS serves as the lead civilian Department responsible for co- 
ordinating National protection, prevention, mitigation, and recov- 
ery from cyber incidents, and we work regularly with business 
owners and operators to take steps to strengthen facilities and 
communities including the Nation’s physical and cyber infrastruc- 
ture. We are also committed to ensuring cyber space is supported 
by a secure and resilient infrastructure, enabling open communica- 
tions, innovation, and prosperity while protecting privacy, confiden- 
tiality, and civil rights and civil liberties by design. 

Protecting this infrastructure against growing and evolving cyber 
threats requires a layered approach. The Government’s role in this 
effort is to share information and encourage enhanced security and 
resilience while identifying and addressing gaps not filled by the 
marketplace. 

Providing effective cybersecurity services requires fostering rela- 
tionships with those who own and operate communications infra- 
structure, members in the emergency responder community, and 
Federal, State, local. Tribal, and territorial partners. Indeed, as 
many of the communication technologies currently used by public 
safety and emergency services organizations are moving to inter- 
net-based — protocol-based environments there is an increasing 
awareness of the cyber limitations and vulnerabilities that our 
emergency service providers will face in conduct of their mission. 
It is important, therefore, for the Department to engage not just 
with chief information officers or chief information security officers 
at the State and local level, but also the emergency management 
and other officials for whom a cyber environment is equally impor- 
tant to accomplishing their mission. 

The Department has initiated several activities focusing on en- 
suring State, local. Tribal, and territorial emergency managers are 
able to build cybersecurity resilience into those information and 
technology networks and systems upon which they depend. 

Several of these efforts include production and delivery of a cyber 
infrastructure risk assessment for both the Nation-wide Public 
Safety Broadband Network and the emergency services sector; local 
pilot projects with emergency managers and critical infrastructure 
partners to better understand interconnections between those cyber 
and physical infrastructures and potential risks presented to the 
Nation; updating the National Emergency Communications Plan in 
coordination with the public safety community, which will discuss 
how cybersecurity has become a key consideration for public safety 
officials in these new IP-enabled technologies as that is more read- 
ily integrated into their operations; and the deployment of region- 
ally-based advisors to promote cybersecurity awareness, program 
and policy coordination, information sharing, and risk analysis to 
their partners. 

These cybersecurity advisors directly engage with State and local 
emergency centers; and partnerships with non-Federal public-sec- 
tor stakeholders to protect critical network — for example, the 
Multi-State Information-Sharing and Analysis Center, which 
opened its Cybersecurity Operations Center in November 2010 and 
has enhanced the Department’s situational awareness at the State 
and local level and allows the Department to provide cyber risk. 
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vulnerability, and mitigation data quickly to State and local gov- 
ernments. 

Specifically, since 2009 the National Cybersecurity and Commu- 
nications Integration Center has responded to nearly half a million 
incident reports and has released more than 26,000 actionable cy- 
bersecurity alerts to public and private-sector partners. Of that, 
7,270 were released in fiscal year 2013 alone. That is more than 
20 a day. 

DHS’s servicing capabilities are designed to support emergency 
managers at all levels of engagement across education, planning, 
cyber incident response, and recovery activities. They are integral 
parts of reducing risk and building capabilities of our partners. As 
necessary, these relationships have to be leveraged in operational 
response efforts in order to meet those immediate and critical 
needs. 

I thank you for the opportunity to testify with you today and I 
look forward to answering your questions. 

[The prepared statement of Ms. Stempfiey follows:] 

Prepared Statement of Roberta Stempfley 
October 30, 2013 

Chairwoman Brooks and Chairman Meehan, Ranking Members Payne and 
Clarke, and distinguished Members of the committee, it is a pleasure to appear be- 
fore you today to discuss the Department of Homeland Security’s (DHS) coordina- 
tion with State, local. Tribal, and territorial (SLTT) emergency managers on cyber- 
security issues. This October marks the 10th anniversary of National Cyber Security 
Awareness Month, which is an opportunity to further engage public and private-sec- 
tor stakeholders to create a safe, secure, and resilient cyber environment. Everyone 
has a role to play in cybersecurity and I am pleased to discuss the Department’s 
efforts to engage SLTT emergency managers as they build cybersecurity resilience 
into those networks and systems upon which they depend on a daily basis. 

America’s cybersecurity is inextricably linked to our Nation’s economic vitality — 
IT systems are interdependent, interconnected, and critical to our daily lives — from 
communication, travel, and powering our homes, to running our economy, and ob- 
taining Government services. DHS is the lead Federal civilian department respon- 
sible for coordinating the National protection, prevention, mitigation, and recovery 
from cyber incidents and works regularly with business owners and operators to 
take steps to strengthen their facilities and communities, which include the Nation’s 
physical and cyber infrastructure. We are also committed to ensuring cyberspace is 
supported by a secure and resilient infrastructure that enables open communication, 
innovation, and prosperity while protecting privacy, confidentiality, and civil rights 
and civil liberties by design. 

CYBERSECURITY SUPPORT TO SLTT EMERGENCY MANAGERS 

Protecting this infrastructure against growing and evolving cyber threats requires 
a layered approach. The Government’s role in this effort is to share information and 
encourage enhanced security and resilience, while identif 3 dng and addressing gaps 
not filled by the marketplace. Providing effective cybersecurity services requires fos- 
tering relationships with those who own and operate the communications infrastruc- 
ture, members of the emergency responder community, and Federal, State, local. 
Tribal, and territorial partners. Indeed, as many of the communications technologies 
currently used by public safety and emergency services organizations move to an 
Internet Protocol (IP)-based environment, there is an increase in the cyber 
vulnerabilities of our emergency services providers in the conduct of their mission. 
It is important, therefore, for the Department to engage not just Chief Information 
Officers (CIO) or Chief Information Security Officers (CISO) at the SLTT level, but 
also the emergency managers and other officials for whom a secure cyber environ- 
ment is equally as important to accomplishing their mission. 

The Department has initiated several activities focused on ensuring SLTT emer- 
gency managers are able to build cybersecurity resilience into those information and 
technology networks and systems upon which they depend. Cyber dependencies and 
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interdependencies require interactions between several different DHS organizations 
and SLTT partners in order to address this complex need. DHS has been forward- 
thinking as the reliance upon cyber systems has grown and our engagements have 
been on-going. 


PREVIOUS EFFORTS 

• Regionally -Based Cyberseeurity Advisors. — The Cybersecurity Advisors (CSA) 
program was created and implemented by CS&C in 2010. The regionally-de- 
ployed personnel promote cybersecurity awareness, program and policy coordi- 
nation, information sharing, and risk analysis to their partners, including emer- 
gency managers. Over the last year, CSAs have had direct engagement with 13 
State or local emergency centers. In addition, the Department has conducted 
Cyber Resilience Reviews and assessments and provided support to numerous 
National Security Special Events, including planning for events such as the 
Super Bowl, and the G8 with the City of Chicago’s Office of Emergency Manage- 
ment & Communications. 

• Emergeney Services Sector Cyber Risk Assessment. — Encompassing a wide range 
of emergency response functions carried out by five disciplines, ^ in 2012 the 
Emergency Services Sector completed a Cyber Risk Assessment, which provides 
a risk profile to enhance the security and resilience of the Emergency Services 
Sector disciplines. It is an effort to establish a baseline of cyber risks across the 
sector, to ensure Federal resources are applied where they offer the most benefit 
for mitigating risk, and to encourage a similar risk-based allocation of resources 
within State and local entities and the private sector. Emergency managers 
from local. State, and Federal government actively participated in the develop- 
ment process to ensure the assessment provided practical guidance for the pub- 
lic safety community. The Department continues to meet with officials from 
stakeholder associations such as the National Emergency Management Associa- 
tion to discuss next steps, including developing a workforce training program 
for emergency managers in order to increase cybersecurity capabilities within 
the emergency management community. 

• Local Pilot Projects with Emergency Managers and Critical Infrastructure Part- 
ners. — DHS is conducting three pilots to better understand the interconnections 
between cyber and physical infrastructure and the potential risks to the Nation. 
The first pilot, initiated in 2012, worked closely with Charlotte, NC emergency 
planners and neighboring communities to examine how a potential cyber attack 
could disrupt communications or other infrastructure operations. The work pro- 
vided additional ways for planners to mitigate potential cyber impacts and, as 
a result of the pilot, commercial facilities adopted additional security practices 
to shore up potential weaknesses. 

The second pilot is underway with the State of New Jersey examining the inter- 
relationship between IT, communications, and physical security. The pilot in- 
volves five water and wastewater facilities and has received praise from the 
State Office of Homeland Security and our water sector partners. As a result 
of initial findings, water facilities have taken immediate action to mitigate pre- 
viously unknown vulnerabilities. 

The third pilot is a joint cyber-physical assessment of a Federal facility in 
Washington, DC to develop a common approach for identifying cybersecurity 
vulnerabilities affecting security systems of Federally-protected facilities, in- 
cluding electrical, HVAC, water, telecommunications, and security control sys- 
tems. 

The lessons from these pilots have been incorporated into our integrated phys- 
ical and cyber Regional Resiliency Assessment Program (RRAP). This is helping 
strengthen the partnership we already have; build new relationships between 
SLTT CIOs, first responders, and critical infrastructure owners and operators; 
and lay the foundation increased collaboration to increase cybersecurity resil- 
ience. 

• Nation-wide Public Safety Broadband Network (NPSBN) Cyber Infrastructure 
Risk Assessment. — The development and deployment of an IP-based network for 
public safety will represent a leap forward in communications capabilities for 
first responders, law enforcement, and other users of the NPSBN. However, the 
move to such a network presents a challenge for the emergency management 
community to identify threats to and vulnerabilities of cyber infrastructure in 
the NPSBN that could affect the network’s reliability and security. DHS is 


iLaw Enforcement; Fire and Emergency Services; Emergency Management; Emergency Med- 
ical Services; and Public Works. 
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working with the First Responder Network Authority (FirstNet) and the public 
safety community to identify cyber risks and develop potential responses to 
those risks. In 2013, OEC developed the NPSBN Cyber Infrastructure Risk As- 
sessment to provide FirstNet with a how-to guide to address the top cyber risks 
that the network may face, and is now working with FirstNet to ensure a more 
resilient network design that will integrate security and resilience into the over- 
all physical and cyber aspects of the NPSBN. 

• Cyber Threat Information Sharing. — In June 2013, DHS established 
“sharelines” in compliance with Executive Order (EO) 13636 and Presidential 
Policy Directive (PPD)-21 to help increase the volume, timeliness, and quality 
of cyber threat information shared with U.S. private-sector entities, to include 
SLTT owners and operators, so that these entities may better protect and de- 
fend themselves against cyber threats. Sharelines “facilitate the creation and 
dissemination of unclassified cyber threat reports to targeted private-sector en- 
tities owned or operating within the United States, as well as Federal, State, 
local. Tribal, and territorial partners” in a timely manner. 

ON-GOING EFFORTS 

DHS continues to build upon the relationships we have established throughout 
the Emergency Services Sector through strategic and operational efforts to provide 
solutions to our SLTT partners. On-going efforts within DHS consist of: 

• Update to the National Emergency Communications Plan. — DHS is updating the 
National Emergency Communications Plan (NECP) in coordination with the 
public safety community to enhance planning, preparation, and security of 
broadband technologies used during response operations. The Plan will discuss 
how cybersecurity has become a key consideration for public safety officials as 
new IP-enabled technology is increasingly integrated into operations. The NECP 
will endorse a multi-faceted approach to ensure the confidentiality, integrity, 
and availability of sensitive data. For example, comprehensive cyber training 
and education on the proper use and security of devices and applications, 
phishing, malware, other potential threats, and how to stay on guard against 
attacks will be recommended. 

• 9-1-1 Centers: Next Generation 9-1-1 and Telephonic Denial of Service. — Up- 
dated 9-1-1 infrastructure utilizes public voice, data, and video capabilities, 
which introduce new vulnerabilities into 9-1-1 systems. Separately, 9-1-1 cen- 
ters have been targeted by telephonic denial of service (TDOS) attacks that 
overwhelm Public Safety Answering Points’ administrative lines. These attacks 
inundate a 9-1-1 call center with a high volume of calls, overwhelming the sys- 
tem’s ability to process calls and tjdng up the system from receiving legitimate 
calls. DHS, through the NCCIC, has worked on the development and dissemina- 
tion of techniques for mitigating and managing these TDOS attacks in order to 
allow emergency management agencies to continue to provide these critical 
services to the public. 

• Protective Security Advisors (PSAs). — Within the Office of Infrastructure Protec- 
tion, PSAs serve as the nexus of our infrastructure security and coordination 
efforts at the Federal, State, local. Tribal, and territorial levels and serve as 
DHS’s on-site critical infrastructure and vulnerability assessment specialists. 
PSAs have also been working with CS&C to better coordinate assessments and 
as a result approximately half of cybersecurity site assessments administered 
by CS&C were conducted in tandem with PSAs — an example of how we are 
working to better and more effectively integrate our physical and cybersecurity 
efforts across NPPD and the Department. 

• Multi-State Information Sharing and Analysis Center (MS-ISAC). — DHS builds 
partnerships with non-Federal public-sector stakeholders to protect critical net- 
work systems. For example, the Multi-State Information Sharing and Analysis 
Center (MS-ISAC) opened its Cyber Security Operations Center in November 
2010, which has enhanced the National Cybersecurity & Communications Inte- 
gration Center (NCCIC) situational awareness at the State and local govern- 
ment level and allows the Federal Government to quickly and efficiently provide 
critical cyber risk, vulnerability, and mitigation data to State and local govern- 
ments. Since 2009, the NCCIC has responded to nearly a half a million incident 
reports and released more than 26,000 actionable cybersecurity alerts to our 
public and private-sector partners. 

Membership in the MS-ISAC consists of State and local CISOs and other lead- 
ership from all 50 State governments, the District of Columbia, 373 local gov- 
ernments, three territories, five Tribes, and 24 educational institutions. It pro- 
vides valuable information and lessons learned on cyber threats, exploitations. 
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vulnerabilities, consequences, incidents, and direct assistance with responding 
to and recovering from cyber attacks and compromises. The MS-ISAC runs a 
24-hour watch and warning security operations center that provides real-time 
network monitoring, dissemination of early cyber threat warnings, vulnerability 
identification and mitigation, along with education and outreach aimed to re- 
duce risk to the Nation’s SLTT government cyber domain. This year the MS- 
ISAC developed a plan to increase engagement with emergency managers and 
fusion centers. 


OPERATIONAL EFFORTS 

Assuring the security and reliability of critical information networks is vital 
across all critical infrastructure sectors, including the Emergency Services Sector, 
which is charged with saving lives, protecting property and the environment, assist- 
ing communities impacted by disasters, and aiding recovery from emergencies. DHS 
is uniquely positioned to improve the cybersecurity posture of our stakeholders. 

NATIONAL PROTECTION AND PROGRAMS DIRECTORATE 

The Offices of the National Protection Programs Directorate interact daily with 
State and local officials and emergency managers on communications and cybersecu- 
rity issues to strengthen infrastructure, educate citizens, and respond to and recover 
from on-line threats and attacks. 

• Cybersecurity and Communications. — CS&C maintains an overall focus on re- 
ducing risk to the communications and information technology infrastructures 
and the sectors that depend upon them, as well as providing threat and vulner- 
ability information and enabling timely response and recovery of these infra- 
structures under all circumstances. We execute our mission by supporting 24x7 
information sharing, analysis, and incident response through the National Cy- 
bersecurity Communications Integration Center (NCCIC); facilitating interoper- 
able emergency communications through our Office of Emergency Communica- 
tions (OEC); advancing technology solutions for private and public-sector part- 
ners; providing tools and capabilities to ensure the security of Eederal civilian 
Executive branch networks; and engaging in strategic level coordination for the 
Department with stakeholders on cybersecurity and communications issues. Ad- 
ditionally OEC has strong ties to emergency managers through its outreach to 
State-Wide Interoperability Coordinators (SWIC) who State officials who are the 
primary points of contact for communications interoperability issues. These 
produce State-Wide Interoperability Plans which establish governance, proc- 
esses, and procedures to support first-responder communication. These strong 
relationships also help SLTT leverage other resources such as fusion centers. 

• Office of Infrastructure Protection . — The Office of Infrastructure Protection with- 
in NPPD leads and coordinates National programs and policies on critical infra- 
structure, including through implementation of the National Infrastructure Pro- 
tection plan (NIPP). The NIPP establishes the framework for integrating the 
Nation’s various critical infrastructure protection and resilience initiatives into 
a coordinated effort, and provides the structure through which DHS, in partner- 
ship with Government and industry, implements programs and activities to pro- 
tect critical infrastructure, promote National preparedness, and enhance inci- 
dent response. As the NIPP is updated based on the requirements of Presi- 
dential Policy Directive 21, Critical Infrastructure Security and Resilience, 
NPPD will work with critical infrastructure stakeholders to focus the revision 
on enhanced integration of cyber and physical risk management, requirements 
for increased resilience, and recognition for the need for enhanced information- 
sharing and situational awareness. As we work to update the NIPP we will sup- 
port the Emergency Services Sector to ensure that we inform first responders 
in their preparation for cyber incidents. 

COORDINATED CYBER/PHYSICAL RESPONSE 

While the National Cybersecurity Communications Integration Center (NCCIC) 
processes incident reports, issues actionable cybersecurity alerts, and deploys on-site 
incident response fly-away teams to critical infrastructure organizations to assist 
with analysis and recovery efforts of a cyber incident, the National Infrastructure 
Coordinating Center (NICC) provides situational awareness of threats to physical 
critical infrastructure, incident response support, and business reconstitution assist- 
ance. In addition to this coordination, as incidents or threats occur, PSAs living in 
communities across the country provide the Department with a 24/7 capability to 
assist in developing a common operational picture for critical infrastructure. NPPD 
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efforts to integrate physical and cybersecurity have provided benefits during inci- 
dents including: 

• Hurricane Sandy . — NPPD operational efforts were able to facilitate much-need- 
ed fuel deliveries to critical telecommunication sites in lower Manhattan in 
order to fuel generators and keep the facilities operational in recent events like 
Hurricane Sandy. After PSAs were notified of the fuel supply shortage, NPPD 
provided analysis on the wide-spread impact if the telecommunications facility 
lost power, while the NCCIC worked with its public and private-sector partners 
to identify a fuel supply and coordinate its delivery to the critical site. 

• Boston Marathon Bombing . — OEC worked closely with public safety agencies in 
the Metro Boston Homeland Security Region and with the Commonwealth of 
Massachusetts on several key emergency communications initiatives prior to the 
2013 marathon including observing public safety communications during pre- 
vious marathons and events and offering suggestions to help strengthen the re- 
gion’s capabilities and improve coordination. Three years later, DHS saw many 
of the recommendations from this assessment in action in response to the bomb- 
ings, including the region’s use of a detailed communications plan (ICS Form 
205) for the event that assigned radio channels to various agencies and func- 
tions. 


CONCLUSION 

DHS provides a variety of services and capabilities desimed to support emergency 
managers at all levels of engagement, across education, planning, cyber-incident re- 
sponse, and recovery activities. The services and capabilities are all integral parts 
of reducing risk and building capacity of our SLTT partners. As necessary, those re- 
lationships are leveraged in operational response efforts in order to meet immediate, 
critical needs. As technologies continue to advance and the dependencies and inter- 
dependencies between the sectors and systems continue to advance along with them, 
DHS will continue to work with emergency managers in a holistic fashion to plan, 
prepare, mitigate, and build resilience into those information and technology net- 
works and systems upon which they depend on a daily basis. Thank you for this 
opportunity to testify, and I look forward to answering any questions you may have. 

Mrs. Brooks. Thank you, Ms. Stempfley. 

The Chairwoman now recognizes Mr. English for 5 minutes. 

STATEMENT OF CHARLEY ENGLISH, DIRECTOR, GEORGIA 

EMERGENCY MANAGEMENT AGENCY, TESTIFYING ON BE- 
HALF OF NATIONAL EMERGENCY MANAGEMENT ASSOCIA- 
TION 

Mr. English. Thank you, Chairman Brooks, Chairman Meehan, 
and Ranking Members Payne and Clarke, for your foresight in hav- 
ing this hearing on bridging the gap between emergency manage- 
ment and the cybersecurity profession. 

You know, in my profession we all have come to believe that the 
cyber threat is a very real threat but what we disagree on some- 
times is what the extent of the consequences of that particular 
threat could be, whether or not it is just a matter of espionage or 
hackers trying to steal intellectual property or nation-states trying 
to uncover some type of technology that we have, or whether it is 
more of a theft of credit card and bank accounts and things of that 
nature, or whether or not, as Mr. Payne mentioned, the 9-1-1 sys- 
tem might be compromised in the middle of an event. 

So we still have a differing opinion on that but the one thing that 
we don’t have a difference of opinion on, and that is we can never 
again underestimate the creativity of those who want to harm us. 
Because if there is that will they will find a way, whether it is the 
lone hacker behind the computer screen, whether it is a group of 
terrorists that want to compromise one of our water treatment 
plants or dams, or if it is a nation-state trying to threaten us, we 
know that it would be a big mistake to underestimate that ere- 
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ativity and to underestimate the organizational skills of our en- 
emies. 

Of course in emergency management we are all about the busi- 
ness of warnings and managing the consequences of an event. As 
I was thinking about our friends in the cybersecurity business I 
thought, you know, it would be great if we could develop a relation- 
ship that exists between the CIOs in the State and emergency 
managers and across the country that is similar to that of the me- 
teorologists. You know, that relationship is on autopilot. They are 
monitoring the weather. The conversation exists on a daily basis. 

I thought about, well, you know, we have forged a new relation- 
ship in this country in the past 12 or 14 years with the law en- 
forcement and the Intel community and the emergency manage- 
ment profession. Early on that was a tough relationship to forge 
because of the security clearances and the lack of reciprocity and 
the whole information sharing and we were putting together a 
clash of cultures, if you will, because the emergency manager 
wants every agency and every person available to help alleviate the 
pain and suffering after an event and to help keep people out of 
harm’s way. Naturally there are secrets that need to be kept, and 
so sometimes there was a little clash of cultures. 

But we have made tremendous progress in the past 12 or 13 
years in that regard and I think the same is true with the cyberse- 
curity professionals and the emergency management community. 
This is a relationship that will mature and it is not a matter of 
that no one really wanted to — or didn’t want to work together. I 
think everybody wanted to work together; we just weren’t sure how 
we were supposed to work together. 

So I think the challenge moving forward is not necessarily to cre- 
ate a new agency or start a new grant program, but maybe it is 
on us to teach one another about our professions and foster that 
relationship for the betterment of our country. 

With that, I will yield the rest of my time. Thank you. 

[The prepared statement of Mr. English follows:] 

Prepared Statement of Charley English 
October 30, 2013 

INTRODUCTION 

Chairman Brooks, Chairman Meehan, Ranking Members Payne and Clarke, and 
distinguished members of this panel — thank you for holding this hearing today on 
one of the most critical issues currently facing our Nation. Cybersecurity and the 
resultant vulnerabilities and consequences could easily match the impact of any sig- 
nificant natural disaster, so we must analyze these threats carefully and plan to 
manage them accordingly. 

The establishment of this committee came about more than a decade ago in the 
wake of an attack which came from an under-appreciated threat. This morning, we 
stand at the precipice of another such attack — one from a potentially nameless, face- 
less, and equally under-appreciated adversary. The threat of a cyber attack not only 
surrounds us, but also poses the additional threat of compromising the response and 
recovery efforts to the consequences of such an attack. 

Last summer, the Chairman of the House Intelligence Committee said he expects 
what he called “a catastrophic cyber attack in the next 12 to 24 months.” 

Earlier this year, former Secretary Napolitano said an incident on the scale of 
September 11 could happen “imminently.” 

The Defense Science Board went even further sa3dng “coming cyber attacks could 
present an existential threat to the country.” 
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As emergency managers, we operate in a world of consequence management. Ac- 
cordingly, we must understand threats, protect vulnerabilities, and know how to 
manage consequences. As we examine the cyber threats facing this Nation, we can- 
not fall into a September 10, 2001, mindset. Our actions must be pro-active and con- 
sider all potential outcomes. We must never say, “it cannot happen here” nor shall 
we fear being labeled an “alarmist” by merely acknowledging the potential dev- 
astating consequences of this already validated threat. 

THE THREAT 

Plenty of experts remain ready and willing to provide thoughts and hypotheses 
regarding the current cybersecurity threat. The vulnerabilities and resulting con- 
sequences we face in these threats represent the “bottom-line” for the emergency 
management community. Vulnerabilities are points of attack and weaknesses to be 
exploited. The emergency management community must address the consequences 
of vulnerabilities being exploited, not just the existence of vulnerabilities them- 
selves. In his report to Congress of March 12, 2013, Director of National Intelligence 
James Clapper outlined how “we are in a major transformation because our critical 
infrastructures, economy, personal lives, and even basic understanding of — and 
interaction with — the world are becoming more intertwined with digital technologies 
and the internet.” 

Such analyses are especially concerning as we continue witnessing a metamor- 
phosis of the cyber threat. Once a means by which to conduct espionage and steal 
information, the realm of cybersecurity must now include an analysis on the secu- 
rity and viability of our critical infrastructure. At the RSA Cybersecurity Conference 
on March 1, 2012, former FBI Director Robert Mueller stated “to date, terrorists 
have not used the internet to launch a full-scale cyber attack. But we cannot under- 
estimate their intent. In one hacker recruiting video, a terrorist proclaims that 
cyber warfare will be the warfare of the future.” Only through good fortune have 
organized terrorist groups not yet taken a greater interest in cyber attacks. But 
such a day is certainly coming. 

Earlier this year. Anonymous petitioned the White House to recognize hacking at- 
tacks as a legitimate form of protest. Their solicitation argued hacking is no dif- 
ferent than marching in an Occupy Wall Street protect. We must consider how such 
an approach can be combatted through our current systems and processes. Even 
though some experts believe Anonymous represents no true threat, others believe 
such an organization could bring down part of the U.S. electric power grid. Most 
recently, the homeland security community has been concerned with and has de- 
voted significant resources to combatting Homegrown Violent Extremists (HVE). It 
is reasonable to conclude that these individuals, acting alone or in small groups, cer- 
tainly have the motivation and expertise to conduct a cyber attack. 

Unfortunately, cyber threats represent risks far more diverse than most any other 
we face. While nation-states like Iran present a significant cyber threat, the greatest 
cyber threat from a nation likely comes from China where hacking stands as an offi- 
cial policy. Just recently, the Chief of Staff of the People’s Liberation Army put the 
cyber threat into perspective when he suggested such an attack could be as serious 
as a nuclear bomb. Even though in his report to Congress Director Clapper said “ad- 
vanced cyber actors — such as Russia and China — are unlikely to launch such a dev- 
astating attack against the United States outside of a military conflict or crisis that 
they believe threatens their vital interest,” the threat alone should be enough to 
garner the attention of the homeland security and emergency management commu- 
nity. 


ADDRESSING VULNERABILITIES & CONSEQUENCES 

Emergency managers stand increasingly concerned regarding the inter-connected- 
ness of the threat and everyday life in America. Citizens can evacuate in anticipa- 
tion of a hurricane. Strong building codes and safe rooms can protect lives in antici- 
pation of earthquakes or tornadoes. But as we consider the breadth and depth of 
our reliance on the cyber infrastructure, the emergency response efforts regarding 
consequence management could easily overwhelm local. State, and Federal assets 
due to the interdependencies of critical infrastructure and key resource protection 
as well as the ease of vulnerability exploitation from a cyber attack. Consider this 
short list of potential hazards and vulnerabilities: 

• Computer-controlled dams protecting a low-lying community, 

• National power grids and nuclear power plants, 

• Emergency Alert Systems (EAS) and 9-1-1 systems, 

• Traffic systems utilized to evacuate a population. 
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• Banking systems ranging from Wall Street to basic on-line transfers and ATM 
withdrawals, 

• The National airline and air traffic control network, 

• Complex and simple communications systems from Emergency Operations Cen- 
ters to the basic smartphone, and 

• Water supply networks and waste management systems. 

Even many of today’s commonly-used Global Positioning System (GPS), which re- 
lies heavily on a cyber structure, represents a potential target vulnerable to attack. 
Taken by themselves, each of these threats could have devastating effects. But 
emergency managers must consider a potential event impacting any number of com- 
binations of these systems. 

The connectivity of systems today makes the consequences of a cyber attack more 
significant at all levels of government and throughout the private sector. Admit- 
tedly, emergency managers often defer cybersecurity issues to information tech- 
nology (IT) officials; yet State IT professionals and other leaders will rely on emer- 
gency managers to respond to the consequences of an attack. The emergency man- 
agement and IT communities must establish relationships and engage in coordi- 
nated planning and information sharing long before an event occurs. 

States such as Michigan continue taking a keen interest in how to manage the 
cybersecurity threat. Through robust coordination and planning at the State level, 
Michigan approaches cybersecurity with the same concepts as those employed when 
preparing for and responding to natural or terrorist threats. 

The Michigan Cyber Initiative brings together many State agencies including the 
Michigan National Guard, State Police, and Department of Technology, Manage- 
ment, and Budget in a coordinated effort to enhance detection of cyber attacks and 
integrate response systems. The Michigan Cyher Initiative integrates the Michigan 
Cyber Command Center, Michigan Cyher Defense Response Team, and Michigan In- 
telligence Operations Center to enhance prevention, early detection and rapid re- 
sponse, and control, management, and restoration. The Michigan Online Cyber Tool- 
kit raises awareness and preparedness for all the components of the cyber eco- 
system. The toolkit provides best practices and easy steps for safeguarding a vulner- 
able environment. It also offers the chance for users to quiz themselves, download 
posters and calendars, and obtain tip sheets on how to solve on-line problems. The 
toolkit is broken down by sectors including homes, businesses. Government, and 
schools. 

Michigan is clearly working hand-in-hand with various components in ensuring 
the addressing of cybersecurity across all disciplines. Even as these relationships 
continue developing in other States, however, we must examine how the con- 
sequences of a cyber attack will be addressed. Furthermore, we must complete an 
honest assessment of necessary authorities and whether they represent adequate re- 
sources to respond to such an attack. 

CURRENT AUTHORITIES 

As NEMA received briefings on the Quadrennial Homeland Security Review 
(QHSR ) of the Department of Homeland Security (DHS), we inquired as to whether 
the Department would examine physical impacts of cybersecurity. They informed us 
that while the QHSR would include some examination of the consequences of a 
cyber attack, the Department’s analysis of past cyber attacks reveal very few phys- 
ical impacts constituting a significant threat to safety and life. We want to ensure 
that all potential consequences of a cyber attack are thoroughly considered. We feel 
like anything less is short-sighted and underestimates the ability and creativity of 
the enemy whether the enemy is foreign or domestic. Our country has on several 
occasions witnessed the creativity of those who are intent on harming us. There 
have been shoes, printer cartridges, underwear, and pressure cookers used as bombs 
and, of course, airplanes used as missiles. 

But even States struggle in addressing this threat. In a survey completed in Feb- 
ruary of this year, NEMA learned: 

• 79.1 percent of States interpret the consequences of a cyber attack under stat- 
utes as “All Hazards” versus 20.9 percent which list it as a specific hazard. 

• 62.8 percent of States do not maintain a law enforcement-specific component to 
any of the State statutes relating to cyber-response. 

• No clear best practice exists in assigning responsibility of coordination of re- 
sources to prepare for, respond to, or recover from a cyber attack with only 41.9 
percent of States citing such a directive. Of the 41.9 percent responsibility 
ranges from the emergency management to IT, homeland security, and the fu- 
sion center. 
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With States remaining somewhat unclear on the appropriate course of action, the 
current lack of a cohesive National strategy at the Federal level is not surprising. 
We hope that the response strategy matures the Federal Government will not over- 
bureaucratize the process and bury State and local governments in a sea of reports, 
guidance documents, and processes. 

We think it is prudent to continue the insistence of metrics and return on invest- 
ment calculations on the millions of dollars in initiatives funded at DHS. Some orga- 
nizations, however, such as the Office of Cybersecurity and Communication (CS&C) 
within DHS continue admirable work in their outreach to State and local officials. 
The effort must be comprehensive and coordinated in order to ensure all the nu- 
ances of the threat receive appropriate attention. Federal efforts must be structured 
in concert with States and locals rather than adopting a top-down approach. 

But underlying statutory authorities are equally unclear. During the NEMA An- 
nual Emergency Management Policy & Leadership Forum in Seattle, Washington 
last year, a panel of experts addressed the statutory issue. According to the panel- 
ists including a former Adjutant General, a DHS Deputy Assistant Secretary, and 
several State Homeland Security Advisors, the Civil Defense Act of 1950 (81-950) 
represents the only law potentially applicable to a potential cyber attack. Since the 
original intent of this Act provided for the response to a nuclear attack from the 
Soviet Union, the time to explore the efficacy of our current statutory authorities 
is now. Current statutory authorities are lacking regarding cyber attacks and are 
currently under revision; however, the recent remark by President Obama that a 
cyber attack can now be classified as an “act of war” significantly changes the “envi- 
ronment.” This recent change should be taken into consideration when speaking of 
statutory authorities and can be used to further illustrate the fluid and uncertain 
nature of the issue. 

Most emergency managers will turn to the Robert T. Stafford Disaster Relief and 
Emergency Assistance Act (Pub. L. 92-288). Unless the consequences of a cyber at- 
tack truly have catastrophic and physical consequences, however, the Stafford Act 
will be limited. Unfortunately, too many of the legislative fixes currently under con- 
sideration in Congress only address the prevention and preparedness side of cyber- 
security. While the pre-event aspects of cybersecurity maintain a high level of im- 
portance, so too will the post-event considerations. 

MOVING FORWAHD 

The purpose of this hearing is to ensure consequence management resulting from 
a cyber attack is recognized as a priority with emphasis equal to preparedness 
measures. As Congress considers legislative options, the needs of the State and 
locals ultimately responsible for the consequences of a cyber attack must be first 
and foremost. In May of last year, NEMA joined with the American Public Works 
Association, Council of State Governments, International City/County Management 
Association, National Association of Counties, National Association of State Chief 
Information Officers, National Association of Telecommunications Officers and Advi- 
sors, National Conference of State Legislatures, the National League of Cities, and 
the International Association of Emergency Managers to ask Congress for your con- 
sideration of key principles and values when considering cybersecurity legislation. 
The outlined principles and values include: 

1. State and local governments must be viewed as critical stakeholders in Na- 
tional cybersecurity efforts. — Both execute programs overseen and funded by 
Federal agencies, and frequently are custodians of Federal data. They also oper- 
ate and manage critical infrastructure including data centers and networks 
which are necessary for basic homeland security and emergency management 
functions. Therefore, the Federal Government must work with State and local 
government to share threat information and to provide technical support to pro- 
tect computer networks and other related critical infrastructure. 

2. The Federal Government must avoid unfunded mandates on State and local 
partners. — Public budgets are still strained at all levels of government, and 
while State and local stakeholders wish to contribute to the overall cybersecu- 
rity effort, the ability to independently fund initiatives at this time is unlikely. 
Likewise, Federal program requirements and directives have traditionally hin- 
dered State and local governments from potentially achieving economies of 
scale. 

3. Federal, State, and local governments should collaborate to invest in cyberse- 
curity awareness, education, and training for public-sector employees, contrac- 
tors, and private citizens. 

4. The civil liberties and privacy of all citizens must be maintained while also 
establishing the safety and stability of the internet and electronic communica- 
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tions . — This is especially critical as governments continue to expand on-line and 
electronic services. Safeguarding public-sector data that includes personal infor- 
mation of citizens will require cooperation and collaboration on data standards 
and cybersecurity methodology at all levels of government. 

5. Many Federal initiatives fund internet and information security programs . — 
However, without cross-cutting communication and coordinated assets, the ef- 
forts will not realize maximum efficiency and impact. If there are privacy and 
security requirements that are pre-conditions of Federal programs and funding 
they must be uniformly interpreted and implemented across all agencies and 
levels. 

Earlier this year, NEMA attempted an effort to address cybersecurity con- 
sequences simply from the emergency management standpoint. A workgroup com- 
prised of many NEMA members has worked since March in developing a doctrine 
for emergency management directors to consider. Unfortunately, even this effort 
proved more difficult than originally anticipated, and instead of continuing alone, 
NEMA has since joined forces with the National Governors Association (NGA) in 
their cybersecurity efforts. 

NGA recently released a “Call to Action for Governors for Cybersecurity.” The doc- 
ument outlines guiding principles, immediate actions to protect States, provides 
multiple examples from various States, and discusses a path forward. The guiding 
principles include supporting Governors, remaining actionable, reducing complexity, 
protecting privacy, emplojdng technologically-neutral solutions, promoting flexible 
federalism, generating metrics, and promoting the use of incentives. NEMA looks 
forward to continuing our work with NGA as this complex issue gains increased at- 
tention. 

The combined capacity of Federal, State, and local governments to adequately 
safeguard the Nation’s critical infrastructure systems remains essential to ensuring 
effective operations across the full spectrum of the threats we face. Furthermore, in 
order for communities to effectively manage emergency situations, cyber systems 
must be resilient to acts of terrorism, attacks, and natural disasters. 

CONCLUSION 

Cybersecurity represents the most complex threat and advanced vulnerabilities 
we as a Nation face. We must ensure consequence management resulting from a 
cyber attack is recognized as a priority with emphasis equal to preparedness meas- 
ures. The challenge for all of us will be to examine it through a new prism, for we 
will fail if we respond the same way as always. This is not a traditional threat and 
reaches across sectors of our society which may have never before worked together. 
Cyber threats can only be addressed through collaboration, planning, and a deep un- 
derstanding of the potential consequences. For if we fail either through prevention 
or response, the impacts truly could be disastrous. 

Thank you. 

Mrs. Brooks. Thank you, Mr. English. 

The Chairwoman now recognizes Dr. Orgeron for 5 minutes. 

STATEMENT OF CRAIG ORGERON, CIO AND EXECUTIVE DI- 
RECTOR, DEPARTMENT OF INFORMATION TECHNOLOGY 

SERVICES, STATE OF MISSISSIPPI, TESTIFYING ON BEHALF 

OF NATIONAL ASSOCIATION OF STATE CHIEF INFORMATION 

OFFICERS 

Mr. Orgeron. Thank you Chairs Brooks and Meehan, Ranking 
Members Payne and Clarke, and Members of the committee, for in- 
viting me to speak today. I am truly honored by the invitation. 

As the executive director of the Mississippi Department of ITS, 
Information Technology Services, as well as president of the Na- 
tional Association of State Chief Information Officers, better known 
as NASCIO, I can report that each year States are facing greater 
numbers of evolving and sophisticated cyber threats. The State of 
Mississippi’s IT systems, like systems from all States, face cyber at- 
tacks ranging from a few thousand attempts to as many as 10 mil- 
lion a day — some domestic, many international. To win this on- 
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going battle, State IT experts have to be right every time while 
hackers need to be only right once. 

As these attacks continue to grow more sophisticated, both public 
and private-sector entities will need to develop better tools and in- 
crease collaboration to both deter attacks and plan a coordinated 
response to contain the damage from successful attacks. This ulti- 
mately requires a multi-sector approach with all levels of Govern- 
ment and private industry working together. 

State CIOs are, indeed, at the table in securing State systems. 
Each year NASCIO surveys its membership. Our 2013 survey, 
which I have attached to my written testimony, shows how State 
CIOs are taking important steps toward building a more secure 
State IT environment. However, there are still known gaps. 

According to our survey data, the State CIO role in disaster re- 
covery appears to be increasing yearly. State CIOs generally coordi- 
nate with other State officials in restoring and maintaining infra- 
structure and communication services to help their State respond 
to and recover from natural and man-made disasters. When asked 
about their concerns. State CIOs put increasingly sophisticated 
threats to their systems followed closely by a lack of funding and 
inadequate availability of security professionals at the top of their 
list. 

As the Federal Government and private sector ramp up their de- 
fenses against sophisticated hackers. State governments are becom- 
ing prime targets of foreign state-sponsored entities and inter- 
national crime syndicates. These hackers can remain in State sys- 
tems monitoring data and waiting to unleash significant harm. In 
worst-case scenarios, a sophisticated hack on public safety systems 
or critical infrastructure could coincide with a physical attack or a 
natural disaster to impede the ability of authorities to respond to 
one or both events. 

It is well-known that when compared with the private sector and 
the Federal Government, States do not have comparable resources 
and tools to provide similar levels of protection to their systems de- 
spite the fact that they often maintain the same sensitive informa- 
tion and key critical infrastructure. This is only partly a financial 
issue; it is also a policy and a skilled personnel issue. On the latter 
two fronts, there is a great deal the Federal Government can do to 
help State governments improve preparedness and respond to 
cyber attacks. 

I have included many of NASCIO’s policy recommendations in 
my testimony but here are five areas: First, flexibility at the State 
level. Federal resources in support to States must respect and bol- 
ster the State organizations. Public-sector cybersecurity is in its in- 
fancy. Best practices must be shared but diverse approaches, par- 
ticularly when it comes to governance, information sharing, and 
methodology, should be nurtured. 

Second, increasing the workforce: Expanding Federal scholar- 
ships to study cybersecurity in exchange for working several years 
in the Federal Government or for State or local governments has 
a two-fold benefit of both better protecting our citizens and expand- 
ing available talent pools of cybersecurity experts. 

Third, modernizing Federal regulations: Congress should con- 
sider working with NASCIO and the States to update the Federal 
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Information Security Management Act, or FISMA, with cybersecu- 
rity rules that better conform to universal, outcome-based stand- 
ards that would provide both Federal agencies and States with bet- 
ter security as well as greater efficiencies. 

Updating homeland security funding: Efforts to utilize existing 
Federal programs to better State governments in protecting the 
Nation against cyber attacks should also be explored. More than 10 
years out from September 11, 2001, homeland security grants 
should be reformed to reflect the current threats faced by our 
States and localities. 

Last, applying what we know: NASCIO believes the National Cy- 
bersecurity Review, or NCSR, is an excellent opportunity to review 
our National preparedness and provide resources and technical as- 
sistance to fill the gaps in our defenses. Holding hearings such as 
this one and finding ways to share information and resources will 
be crucial moving forward. 

We ask that Congress continue to work with the States in identi- 
fying ways to protect our Nation’s digital assets. 

Thank you for the opportunity to testify and your time today. 

[The prepared statement of Mr. Orgeron follows:] 

Prepared Statement of Craig Orgeron 
October 30, 2013 

Thank you Chairs Brooks and Meehan, Ranking Members Payne and Clarke, and 
Members of the committee, for inviting me to speak to you today. I am honored by 
the invitation. As we wrap up Cybersecurity Awareness Month it is timely that we 
are having this hearing on one of our Nation’s most significant vulnerabilities. 

As executive director of the Mississippi Department of Information Technology 
Services (ITS), as well as president of the National Association of State Chief Infor- 
mation Officers, better known as NASCIO, I can report that each year States are 
facing greater numbers of evolving and sophisticated cyber attacks. In addition to 
States serving as a repository of sensitive data about our citizens and homeland. 
States increasingly utilize the on-line environment to deliver vital services, maintain 
critical infrastructure such as public utilities, and ensure our first responders re- 
ceive the data they need in crisis situations. State government IT systems are a 
vital component of the Nation’s critical infrastructure. 

Today, with this testimony, I want to provide the committee information on the 
readiness of our State governments to defend against and respond to major cyber 
attacks, as well as opportunities to collaborate to minimize the risk to our Nation. 
I hope to give you a sense of the threat landscape and how States and the Federal 
Government, along with the private sector, can work together to better secure our 
homeland. 

State governments are at risk from a host of new and aggressive security threats 
that require a formal strategy, adequate resources, and constant vigilance. Cyberse- 
curity continues to be one of the major “hot button” issues for State CIOs and one 
that receives increasing attention from Governors and other elected officials. 

State CIOs are taking the lead in securing State systems. According to NASCIO’s 
2013 survey of State CIOs conducted by in collaboration with TechAmerica and 
Grant Thornton LLP, significant improvements have been made in the last few 
years. Over three-quarters of States have adopted a cybersecurity framework, imple- 
mented continuous vulnerability monitoring capabilities, and developed security 
awareness training for employees and third-party contractors. These are key steps 
toward building a more secure State cyber environment. Unfortunately, less than 
half of States are documenting the effectiveness of the cybersecurity program they 
have in place, and even fewer have developed a cybersecurity disruption response 
plan. 

In the same survey, CIOs were asked about the major barriers they faced in ad- 
dressing cybersecurity. The increasing sophistication of threats, followed closely by 
a lack of funding and inadequate availability of security professionals, topped the 
list. Additionally, the survey data reveals that only 8 percent of States have imple- 
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merited identity and access management of State data systems across the enter- 
prise, although 42 percent of respondents noted an in-process implementation. 

The State CIO role in disaster recovery appears to be increasing each year. Ac- 
cording to the NASCIO 2013 survey almost two-thirds of States pursue a federated 
strategy to disaster recovery, with responsibilities split between the CIO and State 
departments and agencies. The survey also queried State CIOs regarding their role 
in helping their State respond to and recover from a natural or man-made disaster. 
The survey results show almost all CIOs see their role as one of coordinating with 
other State officials and restoring and maintaining infrastructure and communica- 
tions services. I have attached the full results of this survey to my testimony today, 
along with the 2012 Deloitte-NASCIO Cybersecurity Study entitled “State govern- 
ments at Risk,” for your further review.* 

The State of Mississippi’s IT systems, like systems from all States, face cyber at- 
tacks every day, ranging from a few thousand attempts to as many as 10 million 
per day — some domestic, many international. To win this on-going battle. State IT 
experts have to be right every time, while hackers need to only be right once. As 
these attacks continue to grow more sophisticated, both public and private-sector en- 
tities will need to develop better tools and increase collaboration to both deter at- 
tacks and plan a coordinated response to contain the damage from successful at- 
tacks. This ultimately requires a multi-sector approach, with all levels of govern- 
ment and private industry working together. Securing systems in cyberspace, and 
responding to successful hacking attempts, has little in common with traditional 
emergency management after a disaster. Advanced cyber threats are much more 
akin to an aggressive, new strain of virus: The threat is diffuse, and almost impos- 
sible to prevent before it comes into being. In addition, just like a new viral strain, 
it takes time to properly identify and contain the virus, educate the populous about 
how to avoid contracting it, and treat those infected. 

As the Federal Government and private sector ramp up their defenses against so- 
phisticated hackers. State governments are becoming a prime target of foreign, 
state-sponsored entities, and international crime syndicates. Sophisticated hackers 
may hide in IT systems for years — creating what is referred to as an “advanced per- 
sistent threat.” These hackers can remain in State systems monitoring data and 
waiting to unleash significant harm to our Nation’s financial systems, transpor- 
tation systems, supply chain, and key utilities such as the electrical grid, and pipe- 
lines, to name a few. In worst-case scenarios, a sophisticated hack on public safety 
communication systems or critical infrastructure could coincide with a physical at- 
tack or natural disaster to impede the ability of authorities to respond to one or both 
events. 

Elected leaders at all levels have come to understand that cybersecurity is a sig- 
nificant issue that requires their attention. The National Governors Association 
(NGA) is working with the National Emergency Management Association (NEMA), 
NASCIO, and members of the private sector, to build upon this greater under- 
standing. Based on this collaboration, NGA released “A Call to Action for Governors 
for Cybersecurity,” which provides strategic recommendations Governors can imme- 
diately adopt to improve their State’s cybersecurity posture. By gaining support 
from the Governor’s office, a State can tackle key issues of governance and create 
an authority structure that builds comprehensive cybersecurity across the State en- 
terprise. It is well-known that when compared with the private sector and the Fed- 
eral Government, States do not have comparable resources and tools to provide 
similar levels of protection to their systems, despite the fact that they often main- 
tain the same sensitive information and key critical infrastructure. 

This is only partially a financial issue — it is also a policy and skilled personnel 
issue. On the latter two fronts, there is a great deal the Federal Government can 
do to help State governments improve preparedness and response to cyber attacks. 

On policy, perhaps the single key to ensuring a substantial attack does not blind- 
side us is the Federal Government facilitating greater information sharing between 
Federal agencies, the private sector, and State and local partners. NASCIO believes 
the implementation of Executive Order 13636 and Presidential Policy Directive 21 
will be a first step to achieving these goals. 

As each State’s cybersecurity level of maturity and governance is different, 
NASCIO would be concerned about any effort by the Federal Government to des- 
ignate a single State entity as the responsible point for sharing and disseminating 
information between State and Federal entities. Such decisions should ultimately be 
left to each State’s Governor to fit their model of cyber governance. Just as each 
State has different geography and vulnerabilities to extreme weather or man-made 
disasters. State Information Technology systems and the governance of those IT sys- 


* The information has been retained in committee files. 
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terns are very different. Federal resources and support to States must respect and 
bolster the State organizations. 

States rely on multiple external resources for threat information, such as the 
Multi-State Information Sharing and Analysis Center (MS-ISAC), United States 
Computer Emergency Readiness Team (US-CERT), and FBI’s InfraGuard. States 
then act on this information through various channels: Some States have built a so- 
phisticated cyber capacity at their State fusion center, others have bolstered the au- 
thority of their Office of Information Technology, and some coordinate with a cyber 
division of their State National Guard. The Federal Government should support all 
these approaches. Public sector cybersecurity is in its infancy; best practices must 
be shared, but diverse approaches — particularly when it comes to governance and 
methodology — should be nurtured. 

Due to the diverse landscape at the State level, the Federal Government must be 
as inclusive as possible in disseminating threat information, and work outside the 
public safety and intelligence sector’s traditional one-to-many comfort zone. Cyberse- 
curity works best when more people have an understanding of the threats. There- 
fore, NASCIO and its members applaud the on-going effort to provide greater de- 
classification of cyber threat information. We hope this will be followed by collabo- 
rative effort to standardize information exchange models for sharing threat data. 

Classified threats will always exist, though, and therefore, greater access to classi- 
fied information is needed at the top echelons of State government. As of now, the 
U.S. Department of Homeland Security (DHS) will only provide State governments 
with two Top Secret clearances. Typically, these go to the Governor and their home- 
land security advisor or director of public safety. This means in many States, chief 
information officers or their chief information security officers are not cleared to the 
appropriate level to receive vital information from the intelligence community on the 
most advanced international threats against our networks. This should be remedied. 

Additionally, while opportunities for limited Federal assistance for cyber threats 
have been included in the National Preparedness Grant Program (NPGP), the 
formulaic structure of the program means States do not have enough funding to do 
much more than maintain legacy homeland security investments and administer 
grants to local governments. For NPGP to meet the current threats faced by our 
States and localities, changes will need to be made by Congress and the administra- 
tion. 

Besides fixing funding models to meet the current threat, there are other policy 
efforts that can be undertaken to maximize the impact of existing cybersecurity re- 
sources. NASCIO believes the National Cyber Security Review, or NCSR, is an ex- 
cellent opportunity to review our National preparedness and provide resources and 
technical assistance to fill gaps in our defenses. 

The NCSR is a voluntary self-assessment survey designed to evaluate cybersecu- 
rity management within State, local. Tribal, and territorial governments. At the re- 
quest of Congress, DHS has partnered with MS-ISAC, NASCIO, and the National 
Association of Counties (NACo) to develop and conduct the NCSR. The survey is 
now in the field and we expect final results to be provided in the first quarter of 
next year. Much like the Threat and Hazard Identification and Risk Assessment 
(THIRA) provides a guide for investment in traditional homeland security gaps, the 
NCSR could be followed up with the promise of Federal technical assistance to State 
and local participants who lag behind in vital areas. This will have the dual benefit 
of safeguarding citizen data and encouraging greater participation in National-level 
vulnerability assessments. 

NASCIO also supports efforts to include State governments as a participant in 
programs that build the public sector cybersecurity workforce. One of the greatest 
difficulties States face is attracting and retaining talent in this information security 
sector. States cannot compete with the salaries provided by the private sector, or 
the allure of positions in the U.S. Federal intelligence services. Federal scholarships 
to study cybersecurity in exchange for working several years in the Federal Govern- 
ment, or for State or local governments, has the two-fold benefit of better protecting 
our citizens and expanding the available talent pool of cybersecurity experts. Schol- 
arships should be expanded to ensure those who take advantage of them can work 
at any level of government protecting IT systems. 

As many successful cyber attacks could be prevented by good cyber hygiene and 
security practices. Federal collaboration with State and local governments to create 
a culture of awareness and preparedness would also be a significant step forward. 
Just like “see something, say something,” clicking one’s seat belt before driving, or 
even covering your mouth when you sneeze, public awareness and habit is one sim- 
ple way to significantly reduce the threat. 

The Federal Government can also take steps to reduce burdens on State and local 
governments by harmonizing cybersecurity standards and requirements across Fed- 
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eral programs so State governments can provide more efficient and effective security 
of programs at a lower cost to teixpayers. Under the Federal Information Security 
Management Act, better known as FISMA, States are required to check certain 
boxes regarding security when taking Federal grant dollars. However, Federal agen- 
cies interpret these rules differently, and require different security standards. This 
often means that States must spend money on redundant systems to comply with 
a patchwork of Federal rules. It also means a lack of compatibility between various 
systems that States manage, which could otherwise be consolidated and more se- 
cure. Confess should work with NASCIO and the States to replace FISMA with 
cybersecurity rules that better conform to universal, outcome-based standards that 
would provide both Federal agencies and States with better security as well as 
greater efficiency. 

Cybersecurity is a complex issue, and we have a long road ahead of us to making 
our Nation’s systems more secure. There is no single solution here — or in tech 
speak, there isn’t a “killer app.” With the diffuse threat and diverse actors, cyberse- 
curity requires a many-to-many approach. Most public safety response efforts are 
command-and-control, line-of-command efforts. Such efforts will not work when it 
comes to cybersecurity and response. With cyber attacks and the resultant impact, 
there is rarely a front line and the “path of the storm” is usually not obvious. 

Holding hearings such as this one and finding ways to share information and re- 
sources will be crucial moving forward. We ask that Congress continue to work with 
the States in identifying ways to protect our Nation’s digital assets, including rap- 
idly maturing threat information-sharing entities and developing a common frame- 
work that can serve as a roadmap and provide funding justification for State cyber- 
security. Thank you for the opportunity to testify and your time today. 

Mrs. Brooks. Thank you, Dr. Orgeron. 

The Chairwoman now recognizes Mr. Sena for 5 minutes. 

STATEMENT OF MIKE SENA, DIRECTOR, NORTHERN CALI- 
FORNIA REGIONAL INTELLIGENCE CENTER, TESTIFYING ON 

BEHALF OF NATIONAL FUSION CENTER ASSOCIATION 

Mr. Sena. Thank you, Chairman Brooks and Chairman Meehan 
and Members of the subcommittees. On behalf of the National Fu- 
sion Center Association I would like to thank you for the oppor- 
tunity to share our perspective on this increasingly important 
issue. 

Back in July the Majority staff of this committee released a re- 
port on the National Network of Fusion Centers after visiting more 
than 30 of them. The report noted that nearly 200 JTTF investiga- 
tions have been created as a result of the information provided by 
fusion centers and nearly 300 terrorist watch list encounters re- 
ported through fusion centers enhanced existing terrorism cases. 

Those successes were enabled because the National Network has 
developed into a mechanism for regular exchange of criminal intel- 
ligence and terrorism threat information across jurisdictions. This 
mechanism is ready made for information sharing on cyber threats 
as well, but we have a long way to go. 

We need to recognize a couple of realities. First, a streamlined 
system of reporting, analyzing, and sharing threats and incidents 
requires leadership at the State and local level and the clear ac- 
ceptance of what roles different partners can and should play. 
While the systems of interaction will vary from State to State, we 
need to structure relationships so that our personnel know where 
information should be flowing from and disseminated to. 

Second, our human resource base at the State and local levels 
has not adapted quickly enough to address the increased cyber 
threats. State and local law enforcement, homeland security, and 
emergency management functions, including fusion centers, must 
have personnel who are adequately trained to respond quickly and 
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share information rapidly so that additional crimes can he pre- 
vented. 

The NFCA has been working over the past year with the Inter- 
national Association of Chiefs of Police, the program manager for 
the information-sharing environment, the Department of Homeland 
Security Office of Intelligence and Analysis, private-sector part- 
ners, and other associations to develop a pilot program. The pilot 
will be funded by the PM-ISE through DHS to the Center for 
Internet Securities, MS-ISAC. 

The pilot will address needs identified by a wide range of stake- 
holders including the need for increased time lines, volume, and 
quality of information the Federal Government shares with State, 
local, and private-sector partners; the need for standardization of 
information-sharing processes among various levels of government; 
and the development of cyber response best practices; leveraging 
current counterterrorism tools and processes for cyber incident 
handling and intelligence sharing; and promoting private-sector co- 
operation and information sharing. 

We expect the pilot to get underway soon and we look forward 
to updating the committee on our progress. 

I want to raise four issues that we think this committee should 
be aware of and help us think through. 

First, enhanced cooperation by Federal partners through more 
information sharing and Unclassified levels would help connect 
dots and lead to faster action. Our Federal partners tend to operate 
on the high side, but since threat information is coming into fusion 
centers from State, local, and private-sector customers who expect 
timely responses, operating in a classified environment can slow 
down information flow. 

When the Classified document is created, an Unclassified version 
must also exist for dissemination. We need to get classification 
issue right so that we can be responsive to our communities while 
safeguarding critical infrastructure and key resources and informa- 
tion assets from exploitation. 

Second, building training and maintaining a strong cyber analyst 
cadre within fusion centers and law enforcement should be a pri- 
ority. We have great partners like the United States Secret Service, 
whose Hoover, Alabama facility provides cyber training for fusion 
centers and other analysts. That program should be a priority for 
new investment in the immediate future so that the training can 
reach a greatly expanded audience. 

Third, the Terrorism Liaison Officer program is a successful 
partnership between fusion center and State and local law enforce- 
ment, fire service, first responder, public health, and private-sector 
communities within their areas of responsibility. This system maxi- 
mizes situational awareness and provides a clear mechanism for 
ground-level suspicious and criminal activity to quickly funnel 
leads to investigative agencies. 

The success of the TLO program in the physical domain should 
be extended to the cyber domain in the form of a cyber TLO pro- 
gram. Trained TLOs know what to do in the world of physical 
threats; the same should happen with cyber threats. 

City, county, and State governments, as well as CIKR owners 
and operators should be part of the cyber liaison program. This 
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mechanism would ensure that investigative leads filter up to the 
appropriate agencies while regular reporting on the latest cyber 
threats can be pushed down through the network. 

Finally, every fusion center should have the ability to triage 
threat reports and develop products to help partners mitigate 
threats. Ideally, we need a constantly-updated automatic system 
that provides partners with the threat information — both machine- 
and human-readable — in real time, action to identify the attack, 
identify the associated indicators of compromise, and disseminate 
those indicators of compromise to partners in a timely manner. 
That is essential. 

Thank you again for this opportunity to share our thoughts. I en- 
courage you to continue to reach out to your fusion center in your 
State or region and find out about their challenges and best prac- 
tices. 

Thank you. 

[The prepared statement of Mr. Sena follows:] 

Prepared Statement of Mike Sena 
October 30, 2013 

Chairman Brooks, Chairman Meehan, Members of the subcommittees, my name 
is Mike Sena and I am the director of the Northern California Regional Intelligence 
Center (NCRIC), which is the fusion center for the San Francisco Bay and Silicon 
Valley region. I currently serve as president of the National Fusion Center Associa- 
tion (NFCA). On behalf of the NFCA and our executive board, thank you for the 
opportunity to share our perspective on the analysis and sharing of information on 
threats from the cyber domain that we are seeing at a rapidly increasing pace. 

The National Network of Fusion Centers (National Network) includes 78 des- 
ignated State and major urban area fusion centers. Every center is owned and oper- 
ated by a State or local government entity. The majority of operational funding for 
fusion centers comes from State or local sources, while Federal grants — primarily 
through the Homeland Security Grant Program at FEMA — are a major source of ad- 
ditional support. Our centers are focal points in the State, local. Tribal, and terri- 
torial (SLTT) environment for the receipt, analysis, gathering, and dissemination of 
threat-related information between the Federal Government, SLTT, and private-sec- 
tor partners. 

As the report on fusion centers that was released in July of this year by the Ma- 
jority staff of the full House Homeland Security Committee noted, nearly 200 FBI 
Joint Terrorism Task Force investigations have been created as a result of informa- 
tion provided to the FBI through fusion centers in recent years, and nearly 300 Ter- 
rorist Watchlist encounters reported through fusion centers enhanced existing FBI 
terrorism cases. Most fusion centers are “all-crimes” centers, meaning that they do 
not focus on just terrorism-related threats. Most centers are supporting law enforce- 
ment and homeland security agencies in their States and regions through analysis 
and sharing of criminal intelligence to address organized criminal threats and to 
support intelligence-led policing. 

Because the National Network of Fusion Centers has developed into a mechanism 
for regular exchange of criminal intelligence and threat information across jurisdic- 
tions, we are increasingly involved in addressing cyber threats. My center — the 
NCRIC — is actively involved in cyber threat analysis and information sharing with 
our Federal partners, other fusion centers. State and local governments in our re- 
gion, and private-sector partners. As with any other successful law enforcement or 
intelligence effort, good relationships are at the heart of the matter. We must de- 
velop strong and trusting relationships with our customer agencies as well as with 
the private sector to ensure timely information flow. As an example of partnership 
development, the NCRIC is working with a major utilities service provider — that 
faces significant persistent cyber attacks — to assign personnel inside the fusion cen- 
ter. Once in place, this partnership will result in the development of capabilities to 
improve internal security for the company, but also new threat analysis and preven- 
tion capabilities for other critical infrastructure partners across the sector. The 
NCRIC hosts a working group including private-sector CIKR owners that meets reg- 
ularly to discuss threats and share information. 



35 


But my center is not the norm across the National Network. Today, less than half 
of the fusion centers have a dedicated cyber program. We expect that number to 
grow as the threats grow, but we must have additional resources to support the spe- 
cialized training and personnel to further that mission. We cannot take away from 
our established missions to tackle new ones. We also must coordinate closely with 
other entities that play roles in cyber threat awareness, analysis, and information 
sharing — including the organizations my fellow panelists here today represent. 

The reality is that we are dealing with a growing category of criminal activity fea- 
turing different impacts as compared to traditional crime. Because the impacts are 
“quieter” and — to date — most often bloodless, it is more difficult to make a clear case 
for investments in systematic improvements in law enforcement and criminal intel- 
ligence capacity to deal with these threats. 

But as we all know, the threats and their consequences are very real. And the 
threats are growing — from small, targeted operations that impact a family’s finances 
to large operations that threaten an electric grid. Large critical infrastructure own- 
ers know who to call when something happens — they are likely to have existing 
partnerships with Federal law enforcement and investigative bodies. But who does 
a family call when they notice they have been violated? What about a small busi- 
ness or, even more concerning, a smaller vendor that may be part of an important 
supply chain? State and local law enforcement across the country are reporting in- 
creased calls related to cyber crime. Questions related to jurisdiction and investiga- 
tive capacity are difficult to answer in many of these cases. But the analysis and 
sharing of threat information is essential to prevent more victimization. 

As the NFCA has worked with our partners in State and local law enforcement 
on this issue over the past year, it has become clear that we have significant needs 
for capability and capacity enhancements. As I wrote in a blog post for the Program 
Manager for the Information Sharing Environment (PM-ISE) last week, the NFCA 
is working with the International Association of Chiefs of Police (lACP), the PM- 
ISE, private-sector partners, and other professional associations to assess needs 
across the country. I want to specifically acknowledge the office of the Program 
Manager for the Information Sharing Environment, DHS Intelligence & Analysis, 
and FEMA for their recognition of the importance of this effort, and for moving the 
ball downfield. These are outstanding partners in our efforts and we rely on them 
daily. 

In August 2012, the NCRIC hosted a roundtable for cybersecurity stakeholders 
that included representatives from the financial and IT sectors, as well as Federal, 
State, and local officials. These participants identified two types of information shar- 
ing: (1) Fusion centers engaged in sharing tactical information on company or sec- 
tor-specific situational awareness; and (2) fusion centers sharing strategic informa- 
tion on threats, risks, and trends through strategic forums that involve both the 
public and private sectors. lACP partnered with the Department of Homeland Secu- 
rity to facilitate a December 2012 roundtable to further clarify requirements for cy- 
bersecurity information sharing. 

Building on the momentum of the August and December events, the NCRIC and 
the LACP held the Cybersecurity Evaluation Environment Pilot Kick-off Event in 
February 2013. The first day of this 2-day event focused on soliciting cybersecurity 
information-sharing requirements from industry partners and developing potential 
Federal, State, and local government processes for cybersecurity information sharing 
with the private sector. Participants also discussed Government requirements for cy- 
bersecurity information sharing. On the second day, the Government participants 
worked to design a “cybersecurity pilot” that would advance fusion center cybersecu- 
rity information-sharing capabilities. 

The pilot will be funded by DHS through the Multi-State Information Sharing and 
Analysis Center (MS-ISAC) and executed in coordination with all appropriate stake- 
holders. It will focus on addressing needs identified by stakeholders including: 

• the need for increasing the timeliness, volume, and the quality of the informa- 
tion the Federal Government shares with State/local/Tribal government and pri- 
vate-sector partners; 

• the need for standardization of information-sharing processes between the Fed- 
eral and State/local/Tribal governments and the development of cyber response 
best practices; 

• leveraging current counterterrorism-developed tools and processes for cyber in- 
cident handling and intelligence sharing; 

• enhancing the protection of State/local/Tribal networks; 

• supporting cyber crime investigations; and 

• promoting private-sector cooperation and information sharing. 

We expect the pilot to get underway soon and we look forward to keeping the com- 
mittee apprised of our actions. 
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We believe it is important to recognize a couple of realities. First, a streamlined 
system for reporting, analyzing, and sharing threats and incidents requires leader- 
ship at the State level in each of our States and a clear acceptance of what roles 
fusion centers can and should play. Roles, responsihilities, and capahilities should 
be clearly understood — including by private-sector partners — and we have to ac- 
knowledge that we are not where we need to be. That is why efforts like the pilot 
project we are about to engage in with the leadership of PM-ISE and lACP are so 
important. While the systems of interaction may vary from State to State, we need 
structured relationships so that our personnel know where information should be 
flowing from and disseminated to. 

Second, our human resource base in investigative and intelligence settings at the 
State and local levels has not adapted quickly enough to address the increased cyber 
threat. Again, citizens report crimes to law enforcement no matter the type. Federal 
agencies cannot possibly investigate all of those crimes, even as they have a need 
to be aware of them in case they relate to other incidents in other locations. State 
and local law enforcement, homeland security, and emergency management func- 
tions — including fusion centers — must be resourced to respond to those crimes 
quickly and share information rapidly so that additional crimes can be prevented. 

As the July, 2013 committee staff report on fusion centers noted, “Ultimately, it 
is the FBI’s responsibility to conduct counterterrorism investigations. However, no 
single government entity has the mission and capacity to coordinate, gather, and 
look comprehensively across the massive volume of State and locally-owned crime 
data and SARs and connect those ‘dots’, particularly those related to local crime 
and, potentially, the nexus between those criminal activities and terrorist activity. 
This is the principal value proposition for the National Network.” This reality ex- 
tends to the cyber threat domain. 

Next week the National Fusion Center Association will host a major event across 
the river in Alexandria, Virginia. The NFCA Annual Training Event will bring to- 
gether fusion center directors and analysts from nearly all 78 centers, as well as 
Federal partners including DHS, partner associations from State and local law en- 
forcement and emergency response, fire service representatives, and industry to re- 
ceive training and share best practices. Among the training sessions are two sepa- 
rate sessions on cyber threat analysis and information sharing. Representatives 
from the Kanas City Terrorism Early Warning Group, the Orange County (CA) In- 
telligence Assessment Center, the Louisiana State Analytical and Fusion Exchange 
(LA-SAFE), the San Diego Law Enforcement Coordination Center, and my center — 
the NCRIC — will present to other fusion centers on effective practices and partner- 
ships they are implementing in their centers. This indicates the level of interest 
across the National Network in advancing our capabilities to address cyber threats. 

The State of Louisiana’s fusion center — LA-SAFE — has taken an active role in 
cyber threat analysis and information sharing. State, local, and private entities 
reach out to LA-SAFE when a cyber event occurs in their AOR. The fusion center’s 
lead cyber analyst disseminates block-list information to those partners to quickly 
help strengthen their protections. LA-SAFE conducts analysis of cyber threats and 
develops intelligence reports for dissemination to relevant partners. To date, the 
LA-SAFE Cyber Unit has developed more than 40 reports that have been shared 
with Federal, State, and local partners. Feedback to LA-SAFE — including from our 
Federal partners — clearly indicates that the information coming out of the fusion 
center is of high value. 

In one example from earlier this year, the Louisiana State legislature was receiv- 
ing numerous phone calls from a foreign individual asking for the payment of a sup- 
posed debt. The numerous malicious calls clogged the phone lines, preventing legiti- 
mate calls from going in or out. The “telephone denial-of-service attack” disrupted 
the legislature’s communications. LA-SAFE determined that this TDOS attack was 
similar to others that had occurred across the United States and produced and dis- 
seminated an advisory to its partners. Immediately afterwards LA-SAFE received 
numerous phone calls and emails from public safety answering points (PSAPs) 
across the country that had suffered similar attacks. LA-SAFE was contacted by the 
deputy manager of the National Coordinating Center for Communications (NCC). 
The NCC had received the LA-SAFE advisory from the NCCIC and expressed seri- 
ous concern. The NCC then initiated a conference call with LA-SAFE, the NCRIC, 
NCC, NCCIC, Association of Public-Safety Communications Officials (APCO), Na- 
tional Emergency Number Association (NENA), FBI, and other industry representa- 
tives to coordinate a response. 

As a result of the coordination, multiple advisories were distributed from partici- 
pating organizations to their customer bases. It has since been determined that over 
200 of these attacks have been identified Nation-wide. These attacks have targeted 
various businesses and public entities, including the financial sector and other pub- 
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lie emergency operations interests, such as air ambulance, ambulance, and hospital 
communications. 

This example of cyber threat analysis and information sharing is occurring on a 
more frequent basis across the National Network of Fusion Centers. Some fusion 
centers are collecting and analyzing instances of cyber attacks in their AOR, and 
developing products that are sent to other fusion centers, which enables a much 
larger set of stakeholders to prevent damaging attacks. 

LA-SAFE’s recent experiences demonstrate both the opportunity and the need for 
additional focus and capacity within the network. Like other fusion centers that pro- 
vide cyber threat analysis and sharing services, LA-SAFE needs more cyber analyst 
positions. The increasing threat level has already translated into increased demand 
for investigative and analytical services from fusion centers, and there is no sign 
of any slowing-down in that demand. A significant challenge for LA-SAFE and 
other centers is that cyber analysts are typically more expensive than traditional 
analysts. While physical terror threats and criminal activity are the primary focus 
of most fusion centers, the growing category of cyber crime means that cyber threat 
analysis resources must be strengthened at all levels of government. 

In addition, LA-SAFE and other centers believe that the system for interacting 
with Federal partners on cyber threats needs to be improved. Enhanced cooperation 
by Federal partners through more information sharing at the Unclassified or Sen- 
sitive-But-Unclassified levels would help connect dots and lead to faster information 
sharing to prevent attacks. Our Federal partners tend to operate on the “high side,” 
but since threat information is coming to fusion centers from State, local, and pri- 
vate-sector customers who expect timely responses, operating in a classified environ- 
ment can slow down information flow. Speed is important in all investigations and 
prevention activities — especially in the cyber domain. We must work with our part- 
ners to identify the right path forward on classification so that we can be appro- 
priately responsive to our communities while safeguarding CIKR and information 
assets from inappropriate exploitation. 

Building, training, and maintaining a strong cyber analyst cadre within fusion 
centers and law-enforcement entities should be a priority. We have great partners 
like the United States Secret Service whose Hoover, Alabama training facility pro- 
vides beginning and intermediate training for fusion center and other analysts. That 
program should be prioritized for new investment in the immediate future so that 
its training can reach a greatly expanded audience. The Multi-State Information 
Sharing and Analysis Center (MS-ISAC) provides training to State and local law 
enforcement to enhance cyber awareness and analytical capabilities. We need more 
of this type of training to ensure our analysts have the skills required to act quickly 
so that accurate, timely information can be shared broadly. 

The Terrorism Liaison Officer (TLO) program is a successful partnership between 
fusion centers and the State and local law enforcement, first responder, public 
health, and private-sector communities within their AORs. TLO programs train 
thousands of individuals on indicators of possible terrorist activity and reinforce a 
system of reporting of suspicious activity through the fusion centers and the Nation- 
wide Suspicious Activity Reporting (SAR) Initiative. This system maximizes situa- 
tional awareness and provides a clear mechanism for ground-level suspicious activ- 
ity to quickly funnel up to lead investigative agencies. 

The success of the TLO program in the physical terrorism domain should be ex- 
tended to the cyber domain in the form of a “cyber TLO” program. Trained TLOs 
know what to do in the world of physical threats. The same should happen with 
cyber threats. City governments, county governments. State governments, and CIKR 
owners and operators should be part of this network. Again, maximizing situational 
and threat awareness through a systematized reporting mechanism will ensure that 
investigative leads filter up to lead investigative agencies, while regular reporting 
on the latest cyber threats by fusion centers and other partners can be pushed down 
through that network. 

Every fusion center should have the ability to triage threat reports and develop 
products to help State, local, and private-sector entities to mitigate the threats. 
Ideally, we need a constantly updated automated system that provides partners in- 
formation — machine and human-readable — in real time as events are happening. In- 
vestigation into the source of cyber attacks will occur after the fact, but action to 
identify the attack, identify the associated indicators of compromise, and dissemi- 
nate those indicators of compromise to partners in a timely manner is essential. 

It will take time and money for that vision to be realized — and we have too little 
of both in the near term. In the mean time, the partners at this table and around 
the country must work together through the pilot project and other settings to de- 
velop policies, protocols, and requirements that will result in the kind of information 
sharing and threat analysis our citizens expect. In addition, a concept called analyt- 
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ical centers of excellence is being built out across the National Network. If a par- 
ticular fusion center does not have dedicated cyber capabilities, then that center’s 
personnel should know exactly where to go for support. Relationships should be de- 
veloped and formalized so that centers with cyber capacity can be tapped when 
needed by other members of the National Network. This same concept is being ap- 
plied to traditional criminal intelligence information by fusion centers today. 

On behalf of the National Fusion Center Association, thank you again for the op- 
portunity to testify today. The members of the NFCA executive hoard and I are 
happy to provide you with on-going input and answer any questions you have. I also 
encourage you to reach out to the fusion center in your State or region and find out 
about their particular challenges and best practices related to cyber and other 
threats. We look forward to working with you on this issue. 

Mrs. Brooks. Thank you, Mr. Sena. 

The Chairwoman now recognizes Mr. Molitor for 5 minutes. 

STATEMENT OF PAUL MOLITOR, ASSISTANT VICE PRESIDENT, 
NATIONAL ELECTRICAL MANUFACTURERS ASSOCIATION 

Mr. Molitor. Thank you, Madam Chairwoman, Mr. Chairman, 
and the Ranking Members and all of the committee Members and 
staff who have joined us today. We would like to acknowledge the 
subcommittee for holding this important hearing on a very timely 
topic, which is cybersecurity and emergency management. 

NEMA sees safe and reliable electric power as an enabler for 
first responders and supporting life-sustaining services like com- 
munications, food, fuel, and water in the event of a cyber attack. 
As we discuss the impacts of the cyber attack, direct parallels can 
be drawn to grid outages caused by natural disasters. Nothing 
shapes the discussion more than the lessons learned through the 
2003 Northeastern blackout, the recent tsunami in Japan, the re- 
cent earthquake in Haiti, and the two events which affected the 
Congressional districts of many of the Members here today. Hurri- 
canes Sandy and Katrina. 

Large-scale outages are extremely disruptive to the health and 
well being of the affected population regardless of the cause. The 
question becomes: What are the most effective steps we can take 
to prepare for and mitigate this impact? 

In much the same way as new information in communications 
technologies are reshaping how we work, learn, and stay in touch 
with one another, these same technologies are being applied to the 
electric grid, giving utilities new ways to manage the flow of power. 
Many people refer to this as the smart grid. This allows us to mini- 
mize the footprint of an outage, maintain power to critical facilities, 
identify those affected, shunt around downed power lines to in- 
crease public safety, and enable faster restoration of services. 

Many of these technologies are detailed in a storm reconstruction 
guide that we produced in the wake of Hurricane Sandy a year ago, 
and we had a seminar on Capitol Hill earlier this year where we 
went through this in a fair amount of detail. 

When the U.S. Department of Energy established their seven 
characteristics for smart grid in 2008 it included: Optimize asset 
utilization and operate efficiently; anticipate and respond to system 
disturbances — essentially, be self-healing; and also, operate resil- 
iently against attack and natural disaster. The key to this kind of 
performance is rooted in consensus-based industry standards. 

Standards define the interaction between entities to create both 
interoperability and cybersecurity. They allow electrical manufac- 
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turers to build security into the grid, which is preferable to install- 
ing free and open devices that are secured after installation. We 
want security built into the objects and not bolted on afterwards. 
Moreover, the standards-based monitoring features of the smart 
grid will facilitate communications between grid operators, emer- 
gency crews, and first responders. 

The bill introduced by a Member of this committee, the SMART 
Grid Study Act, by Congressman Payne, would go a long way to 
evaluating the breadth and effectiveness of the solutions that have 
been deployed to date. Since 2009 we have invested billions of dol- 
lars in the smart grid, and if you want to improve something you 
need the measurement. We have been building; it is time to meas- 
ure. 

Additional considerations for the cyber future of the grid are con- 
tained in Executive Order 13636 and the National planning sce- 
narios developed by the various sector-specific agencies of the Fed- 
eral Government in conjunction with the Department of Homeland 
Security. Scenario 15 is entitled “Cyber Attack” and it provides a 
doomsday scenario for a pervasive attack on major elements of the 
Nation’s communications infrastructure, weighing this scenario 
against the cybersecurity framework being developed by NIST 
under Executive Order 13636, the implementation of which is being 
supervised by DHS. This will give our industry an appropriate 
platform to ensure that we are as prepared as possible for an at- 
tack. 

Finally, as a 20-year veteran of the U.S. Army and a former com- 
pany commander and battalion operations officer I can say that it 
is one thing to have a plan but another thing to execute it. We 
should regularly conduct large-scale virtual exercises, like the Na- 
tional-level exercises in 2012, to test our response capabilities 
under the cyber attack scenario or the natural disaster planning 
scenario or a combination of the two. The greatest fear of our in- 
dustry is that someone would launch a cyber attack in conjunction 
with a natural disaster, which would increase its impact. 

The military performs these kind of exercises with great fre- 
quency and great success. It would be a good idea for us to figure 
out how we can structure regional, more detailed exercises under 
DHS for the civilian agencies and companies associated with the 
critical infrastructure, like the upcoming NERC event you men- 
tioned earlier. 

I want to thank the subcommittees for allowing us to testify 
today and I look forward to your questions and comments. 

[The prepared statement of Mr. Molitor follows:] 

Prepared Statement of Paul Molitor 
October 30, 2013 

Chairmen Brooks and Meehan and Ranking Members Payne and Clarke, I thank 
you and the Members of the subcommittees for inviting me to testify today on cyber- 
security and emergency management. 

I am Paul Molitor, assistant vice president at the National Electrical Manufactur- 
ers Association (NEMA). NEMA is the association of electrical equipment and med- 
ical imaging manufacturers, founded in 1926 and headquartered in Arlington, Vir- 
ginia. Its dOO-plus member companies manufacture a diverse set of products includ- 
ing power transmission and distribution equipment, lighting systems, factory auto- 
mation and control systems, and medical diagnostic imaging systems. The U.S. 
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electroindustry accounts for more than 7,000 manufacturing facilities, nearly 
400,000 workers, and over $100 billion in total U.S. shipments. 

On behalf of the 400-plus member companies of NEMA, I am responsible for all 
internal and external communications relating to NEMA’s Smart Grid strategic ini- 
tiative including interfacing with electrical utilities, manufacturers. State and Fed- 
eral agencies, and the U.S. Congress. Prior to coming to NEMA, I had an estab- 
lished career in the communications industry building data networks in Top Secret 
environments and large, commercial public networks for the internet divisions of 
both BellSouth in the southeastern U.S. and globally for WorldCom. More recently, 
I spent time working with artificial intelligence systems in several Federal pro- 
grams dealing with systems of systems, intelligence analysis, and National defense. 
Having this background has been a good fit for Smart Grid as we seek to bring addi- 
tional communications and intelligence to the electric grid. 

I was the first plenary secretary of the NIST Smart Grid Interoperability Panel 
(SGIP), founded the SGIP’s International Task Force, participated in the cybersecu- 
rity committee, and served as the founding director for SGiP’s industry-operated 
successor SGIP 2.0, Inc. I’ve also served as secretary of the U.S. Technical Advisory 
Groups for the International Electrotechnical Commission (lEC TAGs) for the Smart 
Grid strategy group (SG3) and the Smart Grid user interface committee (PC 118). 
I was named to the Canadian Task Force on Smart Grid Technologies and Stand- 
ards (TF-SGTS) and serve on the Carnegie Mellon University Software Engineering 
Institute’s Smart Grid Maturity Model (SGMM) stakeholder panel. 

NEMA believes this hearing is incredibly important. Our Nation faces unprece- 
dented cybersecurity threats that endanger not only our way of life, but our very 
health and safety as well. 

One year ago Superstorm Sandy struck the eastern seaboard and had a dev- 
astating impact on so many lives and the economies of a wide swath of States. 
Sandy brought out the best in our first responders, emergency managers. Govern- 
ment officials, and everyday Americans. 

The electric grid is essential to public health and welfare. So when Sandy knocked 
out power for millions of Americans, first responders, utility operators, and emer- 
gency managers sprung into action. Restoring power is part and parcel of emergency 
management. 

Of course, it is not difficult to imagine a scenario in which the electric grid is shut 
down not by a natural disaster but instead, through a cyber attack. 

Whatever the cause, resilient and reliable power is critical for first responders, 
communications, health care, transportation, financial systems, water and waste- 
water treatment, emergency food and shelter, and other vital services. 

Much of our electric grid was built in the 20th Century but is facing 21st Century 
threats. New technologies are being manufactured and implemented today to trans- 
form the grid. When smart technologies are in place, power outages are avoided or 
minimized and lives, homes, and businesses are better protected. 

THE SMART GRID’S ROLE 

In much the same way as new information and communications technologies are 
reshaping how we work, learn, and stay in touch with one another, these same tech- 
nologies are being applied to the electrical grid, giving utilities new ways to manage 
the flow of power. 

A Smart Grid is an electrical transmission and distribution system that uses tech- 
nologies like digital computing and communications to improve the performance of 
a grid, while enabling the features and applications that directly benefit the con- 
sumer. 

A Smart Grid is not an all-or-nothing proposition; there are gradations of “smart- 
ness.” As the electrical grid is modernized with advanced technologies, it becomes 
smarter. Given the diversity in electrical systems and the wide range of available 
Smart Grid technologies, there is no one method to measure the smartness of an 
electrical system. What matters is performance. 

The basic operation of Smart Grid technologies is designed to give the utility com- 
pany and the consumer (residential, commercial, and industrial) more control over 
the electricity supply. 

On the consumer side, this means more information about — and thus greater con- 
trol over — the charges that appear on individuals’ electric bills. 

For utility companies and other grid operators, this means acquiring better situa- 
tional awareness to know what is happening on the grid and to better manage it. 

By applying information and communications technologies and basic computing 
power to the electrical grid, utilities can not only minimize the footprint of an out- 
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age, but also identify those affected, shunt around downed power lines to increase 
public safety, and enable faster restoration of services. 

For example, when disturbances are detected in the power flow, modern circuit 
breakers can automatically open or close to help isolate a fault. Much like a motorist 
using his GPS to find an alternate route around an accident, this equipment can 
automatically route power around the problem area allowing electricity to continue 
to flow to the customer. 

Circuit breakers and other electrical devices in the field have the ability to com- 
municate their status to help utilities identify potential problem areas, including 
outages or conditions that might result in an outage. Coupling this kind of auto- 
mated activity with feedback from advanced electric meters would help restore serv- 
ice to the greatest number of customers even before the first truck rolls out of the 
utility service shop. 

The Cyber Threat and the Electric Power Industry’s Response 

Like any infrastructure that is connected to a network, the electric grid faces cy- 
bersecurity threats which are increasing as each day goes by. 

Protecting the Nation’s electric grid and ensuring a reliable, affordable supply of 
power are the electric power industry’s top priorities. Cybersecurity incidents have 
the potential to disrupt the flow of power to customers or reduce the reliability of 
the electric system. Key to the success of this effort is the ability to protect the 
grid’s digital overlay against interruption, exploitation, compromise, or outright at- 
tack of cyber assets, whether through physical or cyber means, or a combination of 
the two. 

The electric power industry takes cybersecurity threats very seriously. While new 
digital automation and technological advancements can introduce new 
vulnerabilities, these technologies also provide better situational awareness and 
help detect threats before an attack. As such, protecting the grid requires a collabo- 
rative effort among electric utility companies, the Federal Government, and the sup- 
pliers of critical electric grid systems and components — both hardware and software. 
Utilities are required to deliver affordable, reliable, and secure electricity, while 
manufacturers have an obligation to ensure that the same qualities are present in 
their equipment. 

An infrastructure as massive as the electric grid which has been referred to as 
the world’s largest machine cannot be simply taken out and replaced with the ulti- 
mate in cybersecurity. In other words, we cannot “gold plate” the entire electric grid, 
implementing the highest levels of security at every point along the distribution net- 
work. But a few techniques that have proven to be effective in sensitive operating 
environments in the Nation’s Information Technology (IT) infrastructure will help 
ensure greater resiliency. 

The first is segmentation. In order to control the cost of deployment, regulators 
need to consider the overall security architecture in their rulemaking decisions. As 
with the electric grid itself, the ability to isolate security issues and insulate core 
grid functionality from their effects is equally important as the strength of the secu- 
rity measure. 

A second is layering. As with segmentation, the aspect of security layering needs 
to be considered during rulemaking. Individual security measures should not be con- 
sidered in a vacuum, but rather in the context of how they contribute to the overall 
security architecture of the system. It would be important to define rules and guide- 
lines for the levels of layered security required as a function of the criticality of a 
device, its functions, the impact on the surrounding segments of the grid, etc. 

A third is decentralization. When we think about the computing environment of 
the 1960’s, 70’s, and 80’s, it was dominated by mainframe systems and centralized 
control of information and processing. With the advent of the personal computer, 
this migrated to a much more decentralized model in the 1990’s and beyond making 
access to computing resources much easier and more reliable for everyone. The same 
hold true with electricity as distributed generation, energy storage, microgrids, and 
net-zero energy designs and technologies become more available. 

When an outage strikes, the effects often stretch far beyond the initial impact 
zone. Regional outages inhibit the ability to protect those in danger and provide 
basic needs such as food, sanitation, and shelter. We could recover more quickly if 
islands within each area could maintain power and serve as centers for critical serv- 
ices and recovery. 

A microgrid can isolate itself via a utility branch circuit and coordinate generators 
in the area, rather than having each building operating independently of grid and 
using backup generators. Using only the generators necessary to support the loads 
at any given time ensures optimum use of all the fuel in the microgrid area. 
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Importance of Codes for Grid Resilieney 

Of course, electric infrastructure isn’t only transmission lines, substations, and 
transformers. It doesn’t stop at the electric meter outside the building. Indeed, you 
could argue the grid extends to any end-use device you have plugged into an elec- 
trical outlet. Buildings consume some 70% of all energy produced and are the place 
where so much of modern life exists. 

Emergency managers should recognize the importance of adopting the latest elec- 
trical code. The National Electrical Code (NEC) ensures that new construction and 
major renovations are built with the latest technology; which will make a facility 
as safe as possible for either those who become trapped in it during the emergency 
as well as the first responders who may have to breach the building envelope in 
order to stage a rescue operation. A robust emergency plan involves ensuring that 
updated codes are in place today to improve the outcome should disaster strike. 

A corollary here is the energy efficiency of a building; energy codes establish base- 
line levels of efficiency. In the event of cyber attack, the best-prepared buildings will 
have a degree of back-up generation or may be part of a microgrid which is con- 
nected to some back-up generation. It stands to reason that a given amount of gen- 
eration during the wider grid outage will be able to power more critical electrical 
loads or a given number of electrical loads for a longer period of time, as those loads’ 
levels of energy efficiency are improved. In other words, energy efficiency allows us 
to do more with less during a grid outage. 

NEMA is encouraging States and localities to stay current on code adoption. 

Reeent Congressional Activity 

Some recent Congressional activity is worth noting. 

Speaking of energy efficiency. Sen. Gillibrand has legislation which amends the 
Stafford Act to allow a recipient of assistance relating to a major disaster or emer- 
gency to use the assistance to replace or repair a damaged product or structure with 
an energy-efficient product or energy-efficient structure. When disaster strikes we 
should take the opportunity to prepare for future disasters by rebuilding the smart 
way, and energy efficiency is part of this, as described earlier. 

Emergency managers and State and local officials are on the front lines for weeks 
after a major disaster. Often they are supported by the Federal Government in 
terms of resources, coordination, and manpower, but also in terms of funding to re- 
Wild. 

In the wake of Superstorm Sandy, NEMA encouraged Congress to allow Federal 
rebuilding funds to be used not only to replace damaged electrical equipment but 
to replace it with advanced technologies that allow the grid to become more resilient 
going forward. 

The Senate version (H.R. 1, 112th Congress) of the Sandy Supplemental appro- 
priations bill included the following language. 

“SEC. 1105. Recipients of Federal funds dedicated to reconstruction efforts under 
this Act shall, to the greatest extent practicable, ensure that such reconstruction ef- 
forts maximize the utilization of technologies designed to mitigate future power out- 
ages, continue delivery of vital services and maintain the flow of power to facilities 
critical to public health, safety and welfare.” 

Unfortunately the bill that passed the House and was signed into law did not in- 
clude such language. This approach should be considered in the any future disaster 
bill as a way to boost the resiliency of the electric system and ultimately lessen the 
impact of cybersecurity and other grid-impacting events. 

Finally, on a much broader level, NEMA believes that Congressman Donald 
Payne’s SMART Grid Study Act (H.R. 2962), which authorizes a study of the costs 
and benefits of developing a Smart Grid, would go a long way in proving the case — 
to those who remain unconvinced — that the Smart Grid is an investment worth 
making to make the electric grid stronger, safer, and more resilient. Investment in 
the Smart Grid is happening today across the country and around the world. Yet 
policy barriers remain to its full implementation. 

A comprehensive study such as this, to be conducted by the National Research 
Council with input from the Department of Homeland Security and other relevant 
agencies, includes an in-depth review of the vulnerabilities of the electric grid to 
cyber attack. 


THE IMPORTANCE OF INDUSTRY-LED STANDARDS 

In addition to the obvious human toll a breach in cybersecurity could bring, from 
a manufacturers perspective it could involve countless hours of research and devel- 
opment staff time, contractors, and consultants, which would be a considerable fi- 
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nancial burden on the utilities and manufacturers alike. The implementation of 
those patches would involve potential changes to the manufacturing process, deploy- 
ment of patches to the installed base, product recalls, rebates and many other ex- 
pensive options, not to mention the potential for lawsuits, both valid and frivolous, 
based on the potential outages described above. 

An additional interest of the manufacturers is standardizing on common ap- 
proaches to cybersecurity across utility areas of control as well as State boundaries. 
It is critical to invest the time and resources upfront to select the optimal architec- 
ture, minimize risks, and attain a reasonable balance between costs and security. 
Additionally, there exists a need for States to work together in order to provide utili- 
ties with a uniform security implementation approach. If public utility commissions 
do not lead with a common approach, then it will be very difficult for utility compa- 
nies, manufacturers, the National Institute of Standards and Technology (NIST), 
and Standards Development Organizations (SDOs) to coordinate their security 
standards development efforts increasing the level of difficulty for manufacturers to 
provide interoperable solutions. The corresponding drop in interoperability could 
also lead to a lower quality of service to electricity customers. 

The key to achieving the kinds of success described in this testimony is to rely 
on proven, industry-based standards. NEMA, along with a number of our NGO 
peers retains accreditation through the American National Standards Institute as 
a standards developing organization (SDO). Products made from consensus-based in- 
dustry standards are the first step in achieving interoperability. 

Smart Grid Interoperability Panel: Private-sector-led Voluntary Standards Processes 
for Cybersecurity 

Because we live in an increasingly-connected world, interoperability has become 
a bedrock concept. The NIST effort through their Smart Grid Interoperability Panel 
(SGIP) focused on industry standards and their role in delivering the features and 
functionality for Smart Grid. Consensus-based standards ensure that devices 
achieve a minimum level of performance, whether that is in terms of safety or elec- 
tricity delivery, with consistency and reliability. They also provide a uniform man- 
agement information base (MIB) that allows operators to seamless trade manage- 
ment data to achieve successful operations in the segmented, layered, and distrib- 
uted environment described above. Industry-based security standards further ensure 
that security measures can be properly vetted by the global security community. 
The practice of “security by obscurity”, where security measures were individually 
developed and implemented without review, is not nearly as reliable as a publicly- 
tested and fully-vetted security scheme. Identifying cybersecurity standards through 
a body like NIST allows manufacturers to make sure that cybersecurity is built into 
the productions and solutions they offer rather than being bolted-on by the grid op- 
erator at installation. 

NIST Cybersecurity Framework 

The recently-released Executive Order for cybersecurity in the critical infrastruc- 
ture (EO 13636) provides a template for the relationship between industry and Gov- 
ernment. EO 13636, along with its predecessor legislation the National Technology 
Transfer and Advancement Act (NTTAA, Pub. L. 104—113) and its implementation 
through 0MB Circular A-119 describe the role of Federal agencies for securely im- 
plementing information technologies in the Federal Government. Essentially these 
laws stipulate that the Government shall use industry standards to the greatest ex- 
tent possible, vetted through NIST, and installed under the practices identified by 
the sector-specific Federal agency. The NIST framework developed under the guid- 
ance of EO 13636 adheres to this convention establishing an effective puhlic-private 
partnership for the implementation of cybersecurity measures in critical infrastruc- 
ture. 

Incentives for Voluntary Participation in NIST Framework and/or Information 
Sharing 

As we’ve seen in the information technology industry, information sharing about 
persistent electronic threats is a key component of security performance. When an 
electronic attack is in process, companies like Internet Security Systems and Dell 
SecureWorks detect and analyze those threats and provide that threat information 
to their customer base. The only way they can be successful in this is if their cus- 
tomers openly and willingly provide threat and attack information to them. 

In order for threat analysis of critical infrastructure to be successful, electric utili- 
ties and others involved in the electricity supply chain need to be similarly forth- 
coming. This may mean that some form of inducement may be necessary in order 
to secure maximum participation. These don’t necessarily need to come in the form 
of tax policy or direct financial incentives from the Federal Government, but some- 
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thing as simple as liability limitations for manufacturers and grid operators who 
have access to threat information that share it willingly with DHS or the appro- 
priate sector-specific agency. 

Privacy 

NEMA member companies are dedicated to the protection of electricity subscriber 
privacy and personally identifiable information (PII). This is another area where 
consensus-based industry standards will play a role. Effective legislation or regula- 
tion regarding subscriber privacy needs to be based on common terminology and pri- 
vacy concepts. This has previously been applied to other areas such as patient infor- 
mation in the administration simplification section of the Health Insurance Port- 
ability and Accountability Act (HIPAA, Pub. L. 104-191). Adaptations of these prin- 
ciples should apply to the electrical subscribers. 

RESPONDING TO A CYBER EVENT 

A front-line resource from the manufacturers of electrical equipment during any 
emergency is the NEMA Field Representative Program. NEMA field reps are build- 
ing code and electricity subject matter experts. As experience masters in electrical 
systems, they have the kind of jack-of-all-trades knowledge necessary to deal with 
emergency situations. The NEMA field reps serve as a gateway to all 400-plus mem- 
bers of the association and can provide company- and product-specific advice as well 
as contacts within member companies who can help respond. The member company 
technical resources can then work with their utility company customers to safely re- 
store power and ultimately repair the damage. 

National Planning Scenarios Must Focus on Interoperability 

DHS’s work on the National Planning Scenarios gives them an appropriate entry 
point into the cybersecurity policy discussion. Scenario 15 of the National Planning 
Scenarios is titled “Cyber Attack” and includes the following General Description: 

“This scenario illustrates that an organized attack by the Universal Adversary (UA) 
can disrupt a wide variety of internet-related services and undermine the Nation’s 
confidence in the internet, leading to economic harm for the United States. In this 
scenario, the UA conducts cyber attacks against critical infrastructures reliant upon 
the internet by using a sophisticated C2 network built over a long period of time.” 

This, coupled with their role as defined in EO 13636 makes DHS the ideal place 
to host the analysis and evaluation of emergency preparedness testing for all ele- 
ments of the critical infrastructure based on the current global threat profile. 

NEMA has worked with DHS in this capacity in the past including a contract for 
the Digital Imaging for Communications in Security (DICOS) protocol associated 
with TSA electronic screening systems for airport operations. Two important fea- 
tures of DICOS are that it contains the appropriate protections for information pri- 
vacy (being based on a corresponding medical imaging protocol named DICOM), and 
that an integrated threat model was part of the design consideration. 

Essentially all of the tools and roles for DHS exist in other contexts, so the chal- 
lenge will be to bring them together for the participation in cybersecurity event 
management. A future consideration should be a large-scale virtual exercise to test 
our response capabilities under the cyber-attack or natural disaster planning sce- 
narios, or a combination of the two. The military performs this kind of exercise fre- 
quently with great success. It would be a good idea for us to figure out how we can 
structure a counterpart under DHS for the civilian agencies and companies associ- 
ated with the critical infrastructure. Performed in real time, DHS can inject cyber 
events into the scenario exercise that would stress the communications and manage- 
ment capabilities of infrastructure service providers as well as Federal, State, and 
local agencies. The participants would then be compelled to respond to make sure 
they had the appropriate protections and contingency plans in place. 

In closing, let me restate NEMA’s commitment to improving the resiliency of the 
electric grid. We are willing partners with Government and industry in the effort 
to protect Americans from the threat of cyber attack and to help our country re- 
spond when disasters strike. 

Mrs. Brooks. Thank you, Mr. Molitor. 

I now will recognize myself for 5 minutes of questions. Like to 
start out with Ms. Stempfley. 

The After-Action Report for the National Level Exercise 2012 
was released this summer. Can you please give us an update on 
the Office of Cyhersecurity and Communications’ efforts to work 
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with other Federal agencies — specifically FEMA — as well as the 
State, local, and private-sector stakeholders to address the issues 
that were identified after this cyher exercise? 

Ms. Stempfley. Thank you, ma’am. Yes. Absolutely. 

The National-Level Exercise was the first exercise where we had 
a cyber and physical scenario performed at this level. It was the 
attempt to bring together all of our stakeholders and look at how 
clear we had put roles, responsibilities, and execution and re- 
sources towards the specific problem. We were pleased to learn a 
number of lessons from that exercise, to include how to partner and 
the role the private sector must play in this very important mission 
area. 

We have been undergoing a series of after-action activities, which 
range from the development of specific, more-focused exercises and 
action plans so that when a particular event might occur either in 
a sector or at a location we have playbooks available for that. 
These are being developed as a community, so not just DHS with 
FEMA but DHS with our stakeholder partners in the private sec- 
tor, as well, with State and locals and other activities. 

As a matter of fact, we worked with the energy sector to execute 
what we called the Poison Apple exercise not too long ago, which 
was one of these exercises testing a playbook of a particular sce- 
nario in the electric sector. 

Mrs. Brooks. Specifically, I am glad you bring up the electric 
sector, because as I mentioned, I just met with representatives 
from our energy sector just this last month and an issue that they 
brought up, which actually came up in a mark-up of bills yester- 
day, involved security clearances and the difficulty and the backlog 
in the issuance of security clearances for the private sector. 

Can you please discuss that issue a bit and whether or not you 
are aware of the clearance backlog on the issuance process and are 
there anything that we can do to help you address — because it was 
my understanding from — and I had a number of private-sector com- 
panies that expressed that frustration, and it seems to me that if 
we are truly going to have this partnership, particularly with re- 
spect to a response, can you address this issue of security clear- 
ances? 

Ms. Stempfley. So one of the things that we all know and my 
colleague pointed out is we are not going to clear ourselves into 
solving these problems. So we are actively working on share lines 
and reducing information to EOUO and Unclassified activities. 
That is not to say that there are not times when clearances are re- 
quired nor are we walking away or any of that from the security 
clearance issue. 

My colleague, the assistant secretary for infrastructure protec- 
tion, is very focused on this. Respectfully, I would like to take the 
question for the record and have her help 

Mrs. Brooks. Who would that be? 

Ms. Stempfley. Caitlin Durkovich. 

Mrs. Brooks. Okay. Thank you. We would be very interested be- 
cause it appears to be an issue that is causing a lot of concern in 
the private sector and we certainly respect the importance of secu- 
rity clearances but we must find a way to communicate and work 
together. 
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Ms. Stempfley. Yes, ma’am. 

Mrs. Brooks. Thank you. 

Like to ask Mr. Sena: When you talked about the fusion cen- 
ters — and I have visited my fusion center and also would encourage 
others on the committees to visit their fusion center — yours is one 
of the small number of fusion centers in the National Network 
proactively incorporating cybersecurity into its mission, and I ap- 
plaud you for that. What Federal, State, and local partnerships 
have you developed to help the NCRIC contribute to this important 
mission? 

Mr. Sena. Thank you. Madam Chairwoman. 

As far as the development of our fusion center capability — sorry. 
Thank you. 

As far as our — still getting a little feedback here, but — the devel- 
opment of our center, we have been able to work closely with actu- 
ally centers across the country to develop a cyber information net- 
work for exchanging information and then developing partners 
from the private sector to collaborate and actually provide them 
with timely information as well as working with our Federal part- 
ners from the FBI, from our partners in the Secret Services who 
are working the criminal angles of cyber threats, to be able to de- 
velop a network. 

We are actually in the process right now of bringing in private- 
sector personnel to support that effort so that they are in an envi- 
ronment where we can share that information with them and de- 
velop products that they need. We have been working on that over 
the past year-and-a-half to develop a program and we are working 
right now to that National pilot to involve other centers and really 
develop centers of analytical excellence in the field of cybersecurity. 

Mrs. Brooks. Well, we look forward to you sharing that work 
with other fusion centers around the country. 

I see that my time is expired and I am now going to recognize 
the gentleman from New Jersey, Mr. Payne, for any questions he 
might have. 

Thank you. 

Mr. Payne. Thank you. Chairwoman Brooks. 

First I would like to thank Ms. Stempfley for discussing the New 
Jersey pilot project with critical infrastructure and emergency 
managers. I am very interested in learning, you know, about the 
pilot and hope that you can come back and discuss that with me 
at a later date. 

Let’s see. This question is for you, as well. Each witness here has 
discussed the urgent threat a cyber attack poses and that it is crit- 
ical that the Government and the private sector take immediate ac- 
tion to beef up its cybersecurity efforts. 

Earlier this month the Government was shut down for 16 days 
and I am interested in learning how that affected our cyber activi- 
ties. Can you discuss how the Government shut-down affected cy- 
bersecurity efforts and which programs were furloughed and what 
projects were delayed as a result of that? 

Ms. Stempfley. Certainly the Government shut-down was a 
traumatic event for the staff in the Office of Cybersecurity and 
Communications. Important functions that were considered exempt 
associated with immediate loss of life or property were sustained 
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during that period, including functions in the National Cyhersecu- 
rity and Communications Integration Center, so our important in- 
formation-sharing activities on threats that were on-going in that 
moment continued during this time frame. 

Unfortunately, we had to suspend efforts in some other impor- 
tant activities, including workforce development, including out- 
reach and awareness, and including engagement with many of our 
partnership and stakeholder engagement efforts. So all of our sec- 
tor-coordinating council activities and planning activities were sus- 
pended during this time period. 

Mr. Payne. Okay. So those are the programs that were fur- 
loughed? 

Ms. Stempfley. Yes, sir. 

Mr. Payne. Okay. So how did it affect us in terms of our ability 
to thwart off these attacks? 

Ms. Stempfley. We focused during the furlough period on those 
efforts that were instantaneous or immediate — those monitoring of 
Government networks against threats and protection and defense 
measures about activities that were currently on-going. No 
progress was made during that period on programmatic activities 
and so future efforts nor planning activities occurred. So during 
this period we were required to focus exclusively on the near-term 
and real-time efforts of the Department. 

Mr. Payne. So we could only focus on what was right before us 
at that time. 

Ms. Stempfley. Yes, sir. The requirement was we had to con- 
sider as exempt activities only things were about the immediate 
loss of life or property. 

Mr. Payne. Would you consider us being more vulnerable at that 
time? 

Ms. Stempfley. It certainly was a time where there were not as 
many eyes on the Federal networks and it was a period where the 
vulnerability and the threat environment are something we are 
concerned about. 

Mr. Payne. At our full capability do you feel there are enough 
eyes on it when we are at full deployment? 

Ms. Stempfley. I don’t believe you will hear anyone from the Of- 
fice of Cybersecurity and Communications acknowledge that the re- 
sources in this particular mission area are commiserate with the 
threat that we undergo, and so there certainly is more work to be 
done in that area. We have important programs, including contin- 
uous diagnostics and mitigation and the Einstein programs, which 
are a part of helping put automation into the Federal networks, 
and the Enhanced Cybersecurity Service, which is about helping to 
share information for protection with critical infrastructure. 

Mr. Payne. Okay. Thank you. 

Mr. Molitor, as you know, I have been a strong proponent of 
smart grid technology. Can you talk about how smart grid tech- 
nology will improve resiliency in the event of a cyber incident? 

Mr. Molitor. Yes, sir. Thank you. 

The nature of a smart grid — and it comes from those perform- 
ance objectives that were laid out by D.E., the whole idea that the 
grid should be able to react to disturbances and be somewhat self- 
healing. So the idea that if a cyber attack happens when the more 
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intelligent grid than what we have today will be able to do is to 
be able to shunt around the areas that are affected. It doesn’t mat- 
ter whether that is an effect that is caused by a natural disaster, 
a man-made disaster, or a cyber attack. 

So ideally what we want to do is contain the damage, and 
Madam Chairwoman this morning cited the television program this 
weekend, and that is an example of a cascading event, and what 
we really want to do is avoid that and that is what the technologies 
through the smart grid will enable. 

Mr. Payne. Right. So in layman’s terms, I, you know, was inter- 
ested, you know, when you say you have a blackout at your home, 
you contact the utility, utility has to contact workers to go out to 
your home and start from that point and work their way back. 

Mr. Molitor. Right. 

Mr. Payne. What the smart grid technology would allow is al- 
most for that affected area to contact the utility to say, “There is 
a problem in this area,” which alleviates that working back and 
finding the issue and then figuring out what was wrong and then 
correcting it and getting it — so the smart grid technology would 
allow us to be proactive in protecting the grid and almost alerting 
us prior to the issue being created. 

Mr. Molitor. Yes. Absolutely. The analogy that we have used in 
the past is like the dashboard on your car. You know, you have got 
the regular speedometer, tachometer, all of the things that tell you 
how the grid is functioning at the time. 

But what we are really adding with the smart grid are the idiot 
lights — the things that come on when your oil pressure gets dan- 
gerously low and those kind of things. So yes, those are the auto- 
mated notifications that can come off the grid and it can actually 
tell the emergency response crews in the utility companies where 
to go in order to fix and restore power to the greatest number of 
people. 

There is a great example from Vermont Electric Cooperative, 
who was hit by Hurricane Irene in 2011 and then again by Hurri- 
cane Sandy in 2012. They had rebuilt smart in the interim period, 
and so they had a much easier time restoring service and they had 
much fewer consumers who were affected as a result of Hurricane 
Sandy than they were during Hurricane Irene. So we know that it 
works just exactly the way you described. 

Mr. Payne. All right. Thank you. 

Mrs. Chairman, I yield back. 

Mr. Meehan [presiding]. I thank the gentleman from New Jersey 
and I want to thank each of the panelists for being here. 

I am pleased to share the podium today with my colleagues from 
both sides of the aisle but particularly Mrs. Brooks. She and I 
served together as United States attorneys prior to our service in 
Congress, and as a result of that had the opportunity to work with 
a number of the fusion centers and others in the beginning of the 
process of creating what we hoped would be a robust capacity to 
respond to threats of terrorism both on the National as well as the 
local level. 

One of the things that is eye-opening has been the tremendous 
success that has been realized in this country by virtue of, since 
September 11, we have been relatively free of the same kind of 
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scope of a threat actually carrying itself out. But we have seen so 
many of the natures of the threats change, and I think this area 
of cyber is the one that probably creates, in my mind, the greatest 
concern. So there is a lot of effort that is going on and I am inter- 
ested in hearing a little bit about your perspectives. 

Let me start with you, Mr. Molitor, first. Just, you know, we 
have spent a great deal of time working here on cyber legislation, 
the purpose of which is to ease the ability for the private sector to 
communicate in a meaningful, two-way communication through the 
National — what we call the NCIC, the Cyber Information Center, 
with real-time information, and also the ability for you to be able 
to work it through in a way in which there are protections for shar- 
ing information and otherwise. 

Have you had a chance to look at some of the proposed legisla- 
tion and do you have any sense as to whether it would be beneficial 
to member companies like your companies within your organization 
and others similar across the country? 

Mr. Molitor. Yes, absolutely. We are at the tip of the spear — 
the electrical manufacturers — in terms of cyber attacks. So when 
the attack comes in they are going after our members’ gear as it 
sits in the electric grid. We need to be able to capture that informa- 
tion and then forward it, so that the folks at the fusion centers and 
the other panelists at this table can respond and react to it. 

So it would be extremely helpful, just in terms of clearing the 
communications. During my opening testimony I mentioned some- 
thing about how industry-based standards are the best way to do 
that. So we have to be able to communicate across multiple enti- 
ties, between the electric utilities, between the Government agen- 
cies. 

So yes, absolutely. It would be most helpful so that we know how 
to communicate with each other so we can standardize the mes- 
sages and respond to the threat. 

Mr. Meehan. Well, we are already dealing with it in real time, 
and I appreciate that. I think one of the realities is there is almost 
a triage, as you often do when you are dealing with an issue, and 
because of the threats that took place against the banking system 
and the, you know, in New York and other kinds of sort of major 
threats, the concern has been how we alleviate the potential for the 
drastic attack. But there is a lot of things that are going on that 
are impacting, as I think was well-articulated. State and local au- 
thorities who have a great deal of information, have a great deal 
of assets, are equally being probed, and otherwise. 

So how are things working today with regard to the sharing of 
information? You have expressed some frustrations and some 
hopes, and I would like you to spend a little bit more time saying, 
well, suppose something happens right now. 

Mr. English, Mr. Orgeron, and Mr. Sena, you are already, in var- 
ious capacities, your fusion centers are working with some of the 
State and local organizations. Let us say you have an enterprise 
from another country — a criminal enterprise that is probing your 
data systems. How are you communicating today and what is it 
that allows you to work effectively together, or not? 

Mr. Orgeron. Mr. Chairman, from a CIO perspective, I think 
that we are communicating with our fusion center. But one of the 
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things that we have advocated is governance structures that are 
more clearly defined in terms of paths of communication. 

The cyber component is, for all intents and purposes, is sort of 
the newer thing that we are adding into these threats, building 
into the processes that exist. So if there is an emergency manage- 
ment plan there should be a cyber annex to it in terms of key ac- 
tors and what the roles those actors have 

Mr. Meehan. Are you telling me now that that is what your con- 
cern is, that that is not clearly identified right now? 

Mr. Orgeron. I don’t think that the governance is clearly identi- 
fied across the States from a CIO perspective. That is certainly 
something, when we worked with NEMA and the National Gov- 
ernors Association in the cybersecurity call to action, that we cer- 
tainly advocate. Governance was the top of the list in terms of pay- 
ing close attention to authority and responsibility. 

To your point about that, you know, what is happening at the 
State level, how those flows of communications are happening is 
something that we still think needs effort. 

Mr. Meehan. What is your idea of a way to make it work? 

Mr. Orgeron. I think you have to have a framework, and I think 
the framework has to be something that can be easily commu- 
nicated in 

Mr. Meehan. What would it spell out? 

Mr. Orgeron. Well, as an example, one of the things from a 
technology perspective is the NIST framework. 

Mr. Meehan. Yes. 

Mr. Orgeron. You know, a more common framework with which 
you can have a very effective conversation 

Mr. Meehan. Have you been following the meetings that have 
been taking place in California and other places and you are satis- 
fied that they are working towards that direction? 

Mr. Orgeron. It certainly seems so from the CIO perspective. 

Mr. Meehan. Good. Good. 

Mr. Sena. 

Mr. Sena. Yes, sir. 

Mr. Chairman, we do have an issue. You know, it took us a long 
time to get suspicious activity reporting worked out with a unified 
message, and there is currently a unified message task team work- 
ing on the issue of cyber. But at the National level we have six dif- 
ferent cyber centers and people are all saying, “Well, who do you 
call?” 

Right now the message that is being developed, “Call any of 
them.” 

Mr. Meehan. Is this among your fusion centers — six of them are 
cyber centers, as well? 

Mr. Sena. This is Nationally, at the Federal level — those dif- 
ferent cyber centers that — and trying to work on who do you call? 

Mr. Meehan. Who do you include as the National cyber centers? 
Because one of the parts of the legislation — and Ms. Stempfiey’s 
working very, very hard on this with DHS — is to create the NCIC 
as that central point, which everybody knows they go to one place. 

Mr. Sena. Well, we have the NCIC and then there are investiga- 
tive — National cyber investigative joint task force that is out there 
along with some of the other organizations that we have that have 
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investigative responsibilities and agency responsibilities within 
their organizations. 

Mr. Meehan. Who would you consider to be among them? 

Mr. Sena. Within DHS, within FBI, within Secret Service 

Mr. Meehan. You are not trying to say there is any kind of juris- 
dictional issues going on among the Federal agencies 

Mr. Sena. Not at all. They are working very diligently together 
but it still causes confusion. 

At the local level when you ask folks — when you go to an organi- 
zation the companies that we have brought in said, “Who do you 
call?” and they go, “We have a rolodex of 100 people.” 

Mr. Meehan. Well, that is just counter to any kind of effective 
capacity to do things, isn’t it? 

Mr. Sena. Absolutely, sir. That is what we have heen striving to 
do is to say, all right, let’s create a unified message on where this 
information should go — and not just the telephone calls, but also 
the machine-readable information. This information moves quickly. 
The threat moves quickly. We have to respond to that as quickly. 

Mr. Meehan. In fact, and I am — my time is up — but that is actu- 
ally, in real time we do not have the ability, if we are responding 
to a threat which is happening in the cyber world, to rely on tele- 
phone calls to do it. It needs to be, in many ways, as they say in 
the old days, machine-to-machine to be able to mitigate these 
things, and oftentimes just identifying the nature of the threat, 
where it is emanating from and how we alleviate it in and of itself 
requires that kind of tremendous engagement. 

Mr. Sena. Absolutely, sir. 

Mr. Meehan. Well, I am grateful. That is a very, very good point. 
We are appreciative of your testimony today because this is exactly 
the kinds of things that we need to be able to look at to create that 
connection that works effectively, and that is something that we 
will work towards. 

I am going to, appropriately, if you know anything about — Mrs. 
Brooks is going to take over the chairmanship of this hearing 
again. I am going to get back in my rightful place to her right. 

So at this point in time I will return the chairmanship of the 
hearing to Mrs. Brooks and I thank you for your testimony. 

Mrs. Brooks [presiding]. Thank you. Chairman Meehan, for sit- 
ting for me while I quickly went to another hearing. This happens 
to us occasionally here as Members of Congress. We are called to 
other hearings that are also important and I actually may be called 
back because they were not ready for me. So we may be doing this 
musical chairs once again. 

I now will, I believe, recognize the gentleman from Mississippi, 
Mr. Palazzo, for 5 minutes of questions. Thank you. 

Mr. Palazzo. Thank you. Madam Chairwoman. 

Again, I want to thank the chairs for holding this joint hearing. 
I believe that cyber attacks could be as devastating as 9/11 and 
more widespread. 

Just look at what happened a few weeks ago in Louisiana when 
the EBT card system went down for just a few hours. Widespread 
panic and confusion ensued. Just imagine what a cyber attack on 
our power grids or utilities would do to the stability of this Nation. 
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It is vital to America’s interests to address our cybersecurity 
risks sooner rather than later. I think we must utilize all of our 
resources in preparing and responding to a cyber attack. It is not 
a matter of “if’; it is a matter of “when” that will happen. 

I believe a good resource we could use is our Nation’s National 
Guard. I am a proud original cosponsor of H.R. 1640, the Cyber 
Warrior Act. This bill establishes a cyber and computer network in- 
cident response team within the National Guard of every State and 
the District of Columbia, allowing the National Guard to assist in 
responding to cyber attacks. 

It would also allow the Governor of the State to activate the inci- 
dent response team to help train State and local law enforcement 
and other responders in cybersecurity and help them develop best 
practices. I am going to ask all the questions to weigh in on what 
they think of that bill and the utilization of the National Guard. 

But before I do that I would like to ask Dr. Orgeron, could you 
speak to what Mississippi has done to prepare for a cyber attack? 

Mr. Orgeron. Thank you. Congressman. Be happy to. 

One of the things that we advocate at NASCIO and that we have 
done in Mississippi is risk assessment. So with the help of the De- 
partment of Homeland Security, in August of this year we had a 
tabletop exercise in our State. That tabletop brought in multiple 
agencies, our fusion center, and others to kind-of run through a 
scenario — multiple scenarios over about 2 V 2 days. 

It is in our document — in our call to action document that 
NASCIO worked with with NEMA and NGA. One of the things 
that is advocated is looking at what that risk portfolio looks like. 

I will tell you that the outcome of that table-top really proved out 
some of the things that we have talked about here today — the fuzz- 
iness in some instances of understanding who needs to commu- 
nicate with who, where those lines of authority and responsibility 
start and stop. We were very appreciative to the Department of 
Homeland Security for coming down to our great State and work- 
ing with us and facilitating that process. We found it of great 
value. 

It is one of the things that made its way into the call to action 
of States doing those kinds of exercises, so I certainly would advo- 
cate for that. I think the great State of Mississippi has benefited 
from it. 

Mr. Meehan. Will the gentleman yield for 1 second on this? 

Mr. Orgeron — 

Mr. Palazzo. Can you give me extra time towards — fantastic. I 
yield to the Chairwoman. 

Mr. Meehan. I just cleared that with the Chair. 

Did you do an After-Action Report after you 

Mr. Orgeron. I believe my chief security officer did, yes, sir. 

Mr. Meehan. Would you make that available to us, please? 

Mr. Orgeron. Of course. 

Mr. Meehan. I would like that. Thank you. 

Mr. Palazzo. Dr. Orgeron, did the State CIOs typically have ac- 
cess to Top Secret security clearances to help protect their State 
from cyber attacks? 

Mr. Orgeron. No, sir, typically not. It is my understanding that 
there are, I believe, two designated in each State — of course the 
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Governor, many times it is the director of homeland security or po- 
tentially public safety. NASCIO certainly advocates that, given the 
rise of the impact of cyber that the State CIO be considered if more 
clearances were going to be allocated. 

Mr. Palazzo. So you say States get two clearances? 

Mr. Orgeron. That is my understanding. Congressman. 

Mr. Palazzo. Ms. Stempfley, would you like to add to that, and 
why they only receive two security clearances? 

Ms. Stempfley. Sir, I am not familiar with the limitation in that 
situation. I know we have actively worked to get clearances at the 
Secret level for State CIOs so that we can share the threat infor- 
mation, and generally that includes fulsome content for protection 
measures. So we have been actively working with NASCIO and 
others to get State CIOs cleared at that Secret level. 

Mr. Palazzo. Well, I have been to the TS/SCI process and I know 
it is lengthy, but you don’t want to cut corners because you do want 
to make sure we have the proper people accessing that information. 
So, of course, if we could lift any undue restrictions that would be 
nice so the States can be well prepared to access these threats. 

If I may sneak in a question, you know, begin the utilization of 
the National Guard, the Cyber Warrior Act, if — I would just like 
if you all would want to share your thoughts? I will start with Mr. 
Molitor on the end, a fellow soldier. 

Mr. Molitor. Yes, absolutely. I spent some time in the Wis- 
consin National Guard so I appreciate that. That is an ideal place. 
When I heard it earlier during the testimony I thought that is an 
ideal place to house that kind of capability because that State Gov- 
ernor can call on the National Guard for the response locally. That 
is where you bring together the civilian assets, the intelligence as- 
sets, and also the military assets to address natural disasters. 

I was actually called out one time after a tornado in Wisconsin 
for recovery efforts, so it is the same kind of thing in my previous 
testimony, where the parallels between natural disasters and cyber 
attacks are — it is the same impact on the citizenry, and that would 
be a great place, I think, to house that kind of capability on each 
State. 

Mr. Palazzo. I definitely agree with you. 

I guess we will keep going down anybody that wants to volunteer 
until the Chairwoman takes away my time. 

Mrs. Brooks. Important topic, so 

Mr. Sena. From the fusion center perspective, and also being a 
high-intensity drug trafficking area director in my center, we have 
had great support from the National Guard. They have been very 
good. That is the one thing that we are lacking — those folks that 
can go out there and help support, either through assessments or 
actually in reacting and responding to the threat issues. 

Every day we are bleeding a million cuts from the cyber attacks. 
They are doing telephone denial of services combined with cyber at- 
tack on institutions and really cutting us to the core. They move 
much quicker than we can. 

But having the Guard, having additional resources to deal with 
those threats is tremendous, so I appreciate that. Thank you, sir. 

Mr. Orgeron. Same sentiment. Congressman. I know Chair- 
woman Brooks mentioned in the beginning, Maryland. Maryland is 
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one of the States highlighted in document that has a relationship 
with our National Guard. 

My own personal experience post-Hurricane Katrina was the for- 
mation of a wireless commission in our State, of which the Na- 
tional Guard had a seat at the table. We have built 144 towers 
across the State to communicate in the event of another disaster. 
That partnership has been wonderful for the States. I would cer- 
tainly expect that this one would be equally as good. 

Mr. English. Congressman, we certainly support that in Georgia 
and our troops are readying for that mission as we speak. I would 
say, though, that we need to give consideration to it being a sym- 
bol, similar to the civil support teams and the homeland security 
response forces that are now known as a full-time effort on a daily 
basis that we can work with all the time versus a weekend-type as- 
signment. 

Mr. Palazzo. That is a good point. 

Ms. Stempfley. We have heard this morning about the need for 
competent, skilled resources in the cyber environment. I know in 
the National Initiative for Cybersecurity Education we have really 
been focused on understanding the State and local needs in cyber- 
security, as well. I understand the Defense Department and DHS 
and others are studying how to best apply these particular re- 
sources and these patriots to this problem. 

Mr. Palazzo. I want to thank our witnesses. 

Madam Chairwoman, I yield back. 

Mrs. Brooks. Thank you. A very important point with respect to 
the National Guard and the critical role they could play and that 
they do play in many States. 

I am going to start on our second round of questioning, and if 
I — and this is to Mr. English. As I mentioned in my opening state- 
ment, you know, I did watch that movie that aired — not certain if 
others did — the “American Blackout,” this past weekend, and it 
really did portray the physical consequences of a cyber attack on 
the electrical grid. One of the issues that was highlighted in that 
movie and that I actually had a discussion with folks in my district 
last week was the impact on hospitals. 

As a leader in emergency management, I recently visited with 
representatives from a hospital, and as I was getting a tour of this 
hospital, and particularly in the emergency department, we began 
talking about if there were to be an incident of a cyber attack and 
its effect on a hospital system. While the physicians talked about 
the fact that, you know, they have operated, you know, until most 
recently without electronic medical records and could certainly per- 
form their duties, what they would have the most difficulty with 
were their diagnostic equipment — the imaging technology and all of 
the ability to get all of the diagnostics that they now are so accus- 
tomed to receiving in real time, very, very fast turnaround, wheth- 
er it is test results or lab results. 

So I am curious from the emergency manager’s perspective and 
the cybersecurity professionals, how do you coordinate with hos- 
pital systems and has there been a focus on that beyond making 
sure they have back-up generators and the fuel? What kind of co- 
ordination are we really doing with our hospitals? Because I have 
to tell you, this emergency department, while it has been discussed. 
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I think they acknowledged and recognized that most have not real- 
ly prepared for that possibility. 

Any discussion on that, Mr. English? 

Mr. English. Yes, ma’am. 

Whereas we can always do a lot more work — that is for sure — 
the NEMA, the association I represent, and the State public health 
directors have been, for the past 18 months, involved in a relation- 
ship where we meet at least twice a year with the leadership and 
discuss issues. Most recently, one of the issues that we are talking 
about are — is mission-ready packaging for hospitals so that in a 
disaster they have already quantified the type of assets that they 
need through our mutual aid compact that can go from one State 
to the next, or from a impacted area to a — or a non-impacted area 
to an impacted area. 

So I feel like the relationship is good. I am thankful that 
throughout the past 10 years that States have been able to get 
more capability with the grant programs that have been available, 
and certainly a lot of those have gone toward hospitals and readi- 
ness and communication. 

Now, the issue of the imaging and that type of thing, I am not 
familiar with that. But I do know that the dialogue exists. 

Mrs. Brooks. Well, and I — the hospitals certainly said they have 
done a tremendous amount of exercising on triaging and mass cas- 
ualty events and so forth, but I think the possibility of truly a 
power — a significant and/or long-term power outage, I am just curi- 
ous whether or not anyone else has discussed with their hospital 
systems this very potential possibility. 

Anyone else have any discussions with their hospitals or with 
their public health officials about that possibility? 

Mr. Molitor. 

Mr. Molitor. Well, I haven’t had those specific discussions but 
there was an article in a magazine about 2 years ago focusing on 
a hospital in Japan in the wake of the tsunami there, and they had 
a micro-grid in place, and so this goes to Mr. Payne’s point about 
the smart grid. A micro-grid is a self-sustaining — it includes elec- 
tricity generation and also management for the load so that you 
can fuel critical loads like imaging diagnostics during an outage. 

So this whole idea of a micro-grid, a self-contained, powered ad- 
ministration unit within the hospital is a very real prospect. It ex- 
ists today and there are hospitals, even in the wake of Hurricane 
Sandy, that were able to continuously operate in the middle of the 
rest of the area where the power was down because they had those 
kind of micro-grids, that smart grid technology in place. 

Mrs. Brooks. Do you have any idea roughly how many hospitals 
in our country might actually employ micro-grids? 

Mr. Molitor. I do not, but we have a medical imaging division 
within my NEMA — you have got two NEMAs up here; get a little 
confusing. 

Mrs. Brooks. Sure. 

Mr. Molitor. But we have a medical imaging division and I can 
certainly check with them to see if they have any data and report 
back. 

Mrs. Brooks. Okay. Thank you very much. 
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At this time I will ask Ranking Member Mr. Payne if he might 
have any further questions. 

Mr. Payne. Thank you. 

Let’s see. Mr. English and Mr. Orgeron — I am sorry. 

Mr. Orgeron. Orgeron. 

Mr. Payne. Orgeron. I apologize. 

Mr. Orgeron. That is okay. 

Mr. Payne. In 2013, the National Preparedness Report, States 
reported to FEMA that the lack of funding to develop robust cyber- 
security capabilities significantly contributed to the lack of con- 
fidence in State cybersecurity capabilities. Can you talk about the 
role of Homeland Security — the homeland security grant money in 
developing State cybersecurity programs and how reduced funding 
levels have affected the States’ efforts to develop those cybersecu- 
rity capabilities? 

Mr. English. The lack of funding I don’t think — or the cutback 
in funding hasn’t impacted that situation, in my opinion. I think 
Mr. Orgeron mentioned earlier that maybe if the grant guidance 
was a little broader and could entertain a more robust effort in the 
cybersecurity realm would be what we would like to see. Not nec- 
essarily more money, but maybe flexibility within the money that 
we get to be able to build out the cybersecurity assets. 

Currently in my State we do use grant money to provide cyberse- 
curity analysts to our fusion center, but that is really a drop in the 
bucket on the financial side. 

Mr. Orgeron. Mr. Payne, we would agree. I mean, I think our 
basic position is that the formulaic nature with the way the grants 
work, it may not be as appropriate in terms of the cyber threat, 
and we think some alterations there, much to Mr. English’s point, 
would benefit programmatically as a whole cyber initiatives in 
States. 

I should mention, too — it may be a good point to mention, too, 
that, I mean, the States are struggling with workforce issues as 
well. Not exactly related, but, you know, it is very difficult to re- 
cruit credentialed and excellent people. 

There is, I have been told, in essence nearly zero unemployment 
in this sector. So, you know, we have a very difficult time in re- 
cruitment, as well, which can impact mission. 

Mr. Payne. Okay. For you gentlemen, as well, with respect to the 
activities aimed at helping States prepare for, prevent, respond to, 
and mitigate the effect of cyber attack, what is the Federal Govern- 
ment doing well and what needs to be improved? 

Mr. English. I have got to sing the MS-ISAC praises. I think 
they are doing very well, and without great detail, had up-close 
and personal experience with their deployment to our State, along 
with our chief CIO — our CIO and the FBI and DHS and others. So 
I am more aware that that really worked well. 

Mr. Orgeron. I agree. We have a great relationship with MS- 
ISAC. 

Two other quick points: I mentioned our table-top cyber exercise 
that the Department — we got funding for, I think is a great, great 
tool at the State level to bring parties together to kind-of walk 
through, you know, exercises of various sorts. I think it is exceed- 
ingly beneficial to us. 
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Mr. Payne. The other end, what needs to be improved? 

Speak now. 

[Laughter.] 

Mr. English. I really don’t have a lot of heartburn with what is 
going on in the coordination effort. I think we always want to make 
sure that States and local governments are included in the plans 
before they are made so that we can have input and that we are 
at the table. As I mentioned earlier, creating those reasons to col- 
laborate I think go a long way. 

Mr. Payne. So you say we are doing everything right? 

Mr. English. Out of ignorance, I would say yes. 

Mr. Payne. Okay. 

Mr. Orgeron. Well, you know, being the IT guy at the table, I 
think we want to be at the table when those conversations happen. 
I think it does vary from State to State on how those dialogues 
occur, but I think whether it is talking about the clearance issue 
or formulaic changes in grant programs, I think CIOs, or maybe 
even the chief security officers if not the CIO, certainly we would 
want them to be at the table during some of those dialogues, given 
the threats that we face. 

Mr. Payne. Thank you. 

Thank you, Mrs. Chairman. I yield back. 

Mr. Meehan [presiding]. Thank you. I appreciate the gentleman 
from New Jersey exploring those areas. 

Let me ask about the relationship that exists with the private 
sector, because one of the realities is 85 to 90 percent of the re- 
sources are really tied up in the private sector. We have heard nu- 
merous concerns about resources that are available, both with 
trained personnel and otherwise. Yet oftentimes — Mr. Molitor may 
be able to speak to — there are a lot of members of industries and 
others who have already made significant investment in individ- 
uals with skills who are there to — if we can share information ap- 
propriately — it also includes expertise. 

What is your experience in terms of — Mr. Molitor, you can jump 
into this question but I am interested in those who are rep- 
resenting State or fusion centers — what is your experience in terms 
of working with the private sector and how you are taking advan- 
tage of any of their assets or information sharing in your local re- 
gions? 

Mr. Sena. From my perspective I am probably the most blessed 
because my fusion center is in Silicon Valley area, so we have got 
some of the best technology companies in the world there. So we 
have got lots of resources and oftentimes they know better and 
more ways about dealing with a threat than we do in the Govern- 
ment or could ever think of. 

So trying to, you know, bring them on-board to make them part- 
ners with what we are doing in the fusion center, so that way when 
they ask us a question we can provide them with an answer. If 
they have the answer we can share that answer with others. 

They have, you know, bonded together over the last few decades 
in building Silicon Valley and the resources there, but the networks 
go well beyond there; they go across our country and across the 
world where they have, you know, resources. So trying to work 
closely with them, trying to give them those resources. 
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The question always comes up about the clearances, and even 
within the fusion center ourselves, it takes us a long time to get 
our own people clearances, so but also trying to get them up to 
speed and actually physically bringing them in so we can give them 
briefings and actually help them solve these problems together. 
That is my goal. 

Mr. Meehan. So are there parts of your fusion center which in- 
clude a regular seat from private industry as a member? 

Mr. Sena. We have. In fact, one of our first folks that we brought 
in was from the health care industry. So right now we are working 
with some of our power partners and utility partners to bring them 
into the center to get them the backgrounds, to get them the re- 
sources they need. 

Oftentimes some of these people already had worked in Govern- 
ment for one of the other, you know, organizations that dealt with 
cyber and now they are working for the private sector. So we are 
trying to use those resources they have to help us in our center. 

Mr. Meehan. Mr. Orgeron, are you working at all with the indi- 
viduals in the private sector in your capacity? 

Mr. Orgeron. We do, Mr. Chairman. You know. States rely on 
telecom providers, big system integrators daily to get the work 
done in the States, so that reliance is absolutely there. I would ex- 
pect not only in my State but in many of the States the need for 
dialogue and inclusion is imperative. 

Mr. Meehan. Have you worked with CERT teams at all? 

Mr. Orgeron. We have. 

Mr. Meehan. Have they been helpful? 

Mr. Orgeron. They have. 

Mr. Meehan. Ms. Stempfiey, Secretary, you have been a stalwart 
supporter of efforts to do some of these things, but one of the coun- 
cil recommendations from your own advisory council was taking ad- 
vantage of some of the skilled alumni in DHS, among other things, 
and there was an idea of trying to do outreach to make some of 
them available. Has there been any progress made in the idea of 
looking for those who have been in service at DHS and are no 
longer there but are still able to lend a hand at times of crises? 

Ms. Stempfley. I regret, sir, I am not familiar with the rec- 
ommendation that you speak of. But one of the things we work 
very closely with is keeping in touch with both former DHS col- 
leagues and those individuals in the private sector who are a part 
of the owners and operator community of critical infrastructure, 
particularly those in the IT, communications, energy, electric, and 
other sectors. 

I know you have been to our National Cyber security and Com- 
munications Integration Center, where we are very focused on inte- 
grating our private-sector partners into our operations activities 
and we work very closely with our private-sector partners in not 
just protection and planning efforts but in the response efforts, as 
well. 

Mr. Meehan. Yes. This was a recommendation that was called 
the Cyber Reserve Program that was run through DHS, and it may 
or may not be implemented. I know what happens. There are a lot 
of good ideas that sound — they get laid on your plate in the midst 
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of all of these, and I just wondered if you had any insight on that 
program. 

Ms. Stempfley. Thank you for making that connection in my 
hrain. We actually post that set of recommendations. The then-dep- 
uty secretary established a task force to look at all of the rec- 
ommendations from that Homeland Security Advisory Council — set 
of recommendations on workforce activities. We have moved for- 
ward on many of them. The cyber reserve efforts and the potential 
utilization of current and former DHS colleagues in execution of 
this mission is one that planning activity has been underway. 

Mr. Meehan. All right. Well I thank you for that clarification. 

My time is expired and I will turn to the gentleman from Ne- 
vada, Mr. Horsford. 

Mr. Horsford. Thank you very much, Mr. Chairman, to you, to 
Chairwoman Brooks, to the Ranking Member Mr. Payne and Rank- 
ing Member Clarke, for holding this important and crucial hearing. 

I want to commend my colleague, Mr. Payne, for his legislation 
on the study for the smart grid. I know in my State and in regions 
throughout the country we have heard time and time again about 
the need to protect critical infrastructure, including, you know, our 
electric grid and water systems and other things that play into the 
grid. So I look forward to working with you on that legislation and 
commend you and your leadership for bringing it forward. 

After hearing the opening remarks I wanted to delve into a cou- 
ple of questions that aren’t on my prepared questions. 

Mr. Sena, right? 

Mr. Sena. Sena, sir. 

Mr. Horsford. So I have been in my fusion center. I am from 
Las Vegas — 40 million visitors a year, 2 million residents in Clark 
County, and sheriff took me on a tour, met with all of our emer- 
gency management, first responders — local. State, Federal, and pri- 
vate-sector participants at that fusion center. 

What is troubling to me is you say all the right things operation- 
ally for what is needed — the integration, the sharing of informa- 
tion — ^but then we have policy that doesn’t support that approach. 
For example, the UASI money. In my State, Las Vegas was elimi- 
nated from the top-tier funding communities for our fusion center 
and lost several million dollars. My hope is we will get that back 
and I am working with the Department and FEMA and other agen- 
cies to make the case, but the policy doesn’t support the practice 
that you envision. 

So I would like for you to touch on how funding like UASI is crit- 
ical in supporting your needs, particularly with the cybersecurity 
focus, which, as far as I reviewed in the primary factors of the 
UASI money allocation, I didn’t hear cybersecurity come up enough 
even though it is the most emerging threat to our critical infra- 
structure. So can you speak to that, please? 

Mr. Sena. Absolutely, sir. Congressman, just to let — as you 
know, with the reductions in UASIs and the inconsistencies and 
how the funding goes for those grant projects to support fusion cen- 
ters, fusion centers are owned and operated by State and local 
agencies. I myself work for the San Mateo County sheriffs office. 
But it is up to those regions how they develop those programs and 
some are highly dependent on Federal funding. 
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We have some fusion centers that totally support their operations 
based on their own State budgets, local budgets. But when we are 
trying to develop programs that have a National importance, that 
have — meet those National priorities, those National missions, we 
have to develop the funding stream to support those programs. 

Basing it on — and UASIs have been great across the country, but 
if you have no money they have got no way to give anything to the 
fusion center, and therefore the fusion center cannot support their 
programs. That is where we are at right now. 

The other issue we have is the grant time line cycle of 2 years 
now, which basically means that once you get through with all the 
management issues of trying to move funding you have about 8 
months to spend your money. Well, most people’s salaries go for 12 
months. That creates a little bit of a problem. 

But we have those huge issues between how the money gets to 
the fusion centers and how it gets devoted to those programs. Right 
now there is no consistency across the country in how that money 
is delved through. Not just in the case of the Las Vegas fusion cen- 
ter, but other fusion centers across the country that lost their UASI 
funding — to the point of some, 30 percent. How do you run an oper- 
ation when you have lost 30 percent of your money or 100 percent? 

Mr. Horsford. Right. 

Mr. Sena. It is difficult. 

Mr. Horsford. Well, it is difficult when you have these emerging 
threats, which are ever changing. Everything you all talked about 
today is, you know, the people we are trying to prevent from at- 
tacking us are more creative, more resourceful, are working around 
the clock, and yet we are not putting in the resources to combat 
that. 

I think the UASI funding, Mr. Chairman, is one area that needs 
to still be reviewed and, you know, I am committed to doing my 
part in bringing forward solutions for how it needs to be reviewed. 
But I think the cybersecurity factor in how communities rank 
should be reevaluated. So I will put that on the table. 

Mr. Chairman, can I have just 1 more minute? 

Mr. Meehan. Yes. The Chairman will recognize the gentleman 
for a follow-up question. 

Mr. Horsford. I just want to ask about this interrelation be- 
tween State and Federal entities. Given the inherently inter- 
connected nature of the cyber landscape, why is it that harmo- 
nizing standards for the Federal Government is beneficial but re- 
quiring the same of State governments which may interface with 
Federal systems is not? I wanted Mr. Orgeron to answer that ques- 
tion. 

Mr. Orgeron. Sure. We talked about NIST earlier, and I think 
from a framework perspective we certainly think that having a 
common framework would be most beneficial, whether it is at the 
State level or the Federal level. Certainly a framework that would 
help the two entities communicate, you know, I think we believe 
would be a good thing. 

Mr. Horsford. Thank you. 

Mr. Meehan. I thank the gentleman. 

The Ranking Member has a follow-up question and so I recognize 
the Ranking Member for 
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Mr. Payne. Thank you, Mr. Chairman. 

This was a question that Congresswoman Clarke had: Cybersecu- 
rity technologies have made a major advancement over the last 
decade, just as the IT industry has. But the electrical grid has been 
built over the course of 100 years. 

So, Mr. Molitor, in terms of cybersecurity, how do we deal with 
the legacy equipment that was installed before anyone was think- 
ing about cyber threats and what was to come and is here now? 

Mr. Molitor. Yes. That is a great question. Fortunately, a lot of 
the legacy gear doesn’t have the kind of communications capabili- 
ties that makes it hackable to begin with. But if you have got a 
dead zone in the middle where you don’t have cybersecurity capa- 
bilities built in you have to build your cyber perimeter around it. 
So the objective is — and especially through these smart grid tech- 
nologies — is that you have the communications ability and the 
sensing ability on the adjacent devices so that you can identify 
when that device in the middle starts to underperform. So that 
would be the best indication that you have. 

The challenge that we have is that a lot of these assets that were 
installed in the electric grid have a 20-, 30-, or 40-year life span 
before they can be replaced by the utility companies. So, you know, 
part of the cure to this is being able to fix the accounting rules and 
the other financial rules so that they can depreciate those assets, 
get them out of the grid, and replace them with the ones that can 
respond properly to a cyber attack. 

Mr. Payne. So in your opinion — and I will close with this and I 
will ask each of the witnesses — you know, the legislation I have in- 
troduced, the SMART Grid Study Act, do you think that is the di- 
rection we should go so we can understand what we need to do to 
ensure the critical infrastructure is cyber safe? 

Mr. Molitor. Absolutely. I am a firm believer that if you want 
to improve something you need to measure it. You provide the 
mechanism to obtain that measurement. 

Mr. Payne. Mr. Sena? Same question. 

Mr. Sena. We definitely — I mean, for years we have been build- 
ing a great castle with physical — sorry, sir — ^building a great castle 
with physical security issues, but we have got this moat around us 
that has a stream that goes right into our critical infrastructure 
and we are so vulnerable, but the resources are not going there. We 
do have to have that capability. 

We do have to have better electronic resources to deal with 
threat in real time but we also need analysts and people that can 
accept the information and know what we are looking for. Right 
now that is our big problem, from the high-end technical side to the 
people who are operating the computers within the locations, 
whether it is Government, whether it is critical infrastructure, you 
know, spear fishing, opening up the wrong e-mail can open up your 
network to huge issues. 

When it is considered to be the electrical grid or any of our other 
critical infrastructure, that can be our fall down. My goal is to pre- 
vent that as best we can, so thank you. 

Mr. Payne. Mr. Orgeron. 
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Mr. Orgeron. I agree. I mean, State government, especially from 
a technology perspective, whether it is consolidated data centers or 
networks, are highly reliable on the grid, so absolutely. 

Mr. Payne. Mr. English. 

Mr. English. Absolutely. We have to have the power to make 
things work, and thank you for doing that. 

Mr. Payne. Okay. 

Ms. Stempfley. 

Ms. Stempfley. So we certainly have talked about the linkages 
between the cyber and physical environment, and one of the things 
that we are focused on at DHS is helping as infrastructures are up- 
graded — as our aging infrastructure is upgraded and takes advan- 
tage of the technology that exists today, helping them understand 
how to be more resilient in this cyber environment. So I think that 
is an important focus area. 

Mr. Payne. Well, I thank all of you witnesses. 

Just for the record, this study would not cost any more money. 
The money is already in place and we have offsets that would take 
care of the cost of the study. 

I yield back. 

Mr. Meehan. I thank the gentleman. 

I am just about prepared to gavel the hearing down but I have 
one question that I want to ask for those who are involved in the 
State side, because I know that there has been some discussion 
about the need we have for people who are capable of working with 
you in both understanding and then addressing these kinds of con- 
cerns, and then simultaneously we have got, year after year, stu- 
dents that are graduating from colleges and universities, junior col- 
leges all throughout our country and they are looking for a job. 

It stuns me that we have educational institutions on the one side 
that are already — not looking for grant programs; they are already 
taking tuition. Some of these kids are going into debt to do this, 
and then they come out and they are saying, “Where do I get my 
first job?” 

Then here you are running organizations which are saying, “Boy, 
we need people in here.” What are you doing even with your own 
State university systems to implement some kind of connection be- 
tween the training that could take place and the availability of a 
workforce? 

Mr. Sena. Sir, I have to mention — and thanks in great part to 
our partners in the Department of Homeland Security, MS-ISAC, 
and our other State organizations — we actually had a pilot, you 
know, internship program this summer — ^brought some of the most 
brilliant people into my center. Great employees, great interns. Did 
some tremendous work for us. 

So we brought them in but, of course, we have no funding to pay 
for interns. We have no money to pay for, you know, those ana- 
lysts. You know, eventually we are getting some money from our 
UASI to bring on some analytical staff, but, you know, we brought 
in eight interns who did great work and those interns across the 
country were also deployed — recruited by DHS, recruited through, 
you know, cyber exercises that they would do on the weekends to 
see who could, you know, do the best infiltration of systems. 
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So we had the best minds out there but we have no money to 
hire these people and that is — you know, that is the tragedy of it. 
You know, great interns and, you know, free labor force for us, but 
we need them long-term and there is just no sustainment for that 
right now. 

Mr. Meehan. Do they get directed to private-sector opportuni- 
ties? 

Mr. Sena. We do. We give them, you know, pass their informa- 
tion along to the private sector. But as was said previously, you 
find very few open jobs in that sector. But right now it would be 
great if we had that ability even to pay the interns for the time 
they spend with us, but also to bring them into Government work. 
They are just — you know, from the State perspective, you know, 
money has always been tight, and especially nowadays it has been 
tight, so trying to have funding to bring in those brilliant minds 
is difficult. 

Mrs. Brooks. Would the Chairman yield one moment? 

Mr. Meehan. Sure. Absolutely. 

Mrs. Brooks. I am curious, before others might respond, wheth- 
er or not you are educating your governors, your mayors, your 
councils who appropriate the funds for your departments to under- 
stand what the cyber threat might be? Because obviously, you 
know, there is always a push for more police officers on the street, 
more fire fighters, but yet there needs to be — and when we may be 
calling them analysts is part of the problem in that they appear to 
be support staff when, in fact, they are a cyber force and can be 
like a street officer. How are you educating the executives and 
those, you know, with the appropriations authority to, you know, 
make sure that they understand what the needs are, just out of cu- 
riosity? 

Mr. Sena. I can tell you that after we made a presentation to our 
UASI on what the threat was, it immediately voted to give us 
$400,000 right off the bat. So they see the threat. But that is only 
if they have the funding available to allocate, and in this case they 
had the funding. 

That funding may not be there next year, but that is the problem 
we have. There has to be a funding source and currently most 
States don’t have the funding source other than potentially through 
those Federal grants. Those, the allocation varies between those 
centers, like in Las Vegas, that they just don’t have any money for 
it. 

Mr. Orgeron. We certainly do advocate with the Governor, elect- 
ed officials, the legislature, the importance of a topic like this and 
potentially the disconnect between really doing great Government 
and needing great people to do great Government that have the 
right skills, and this is a marked gap to the point. 

To the other question, all the things Mr. Sena said — working 
with universities on co-op programs to get students in, internship 
programs. It is really at the local level — at the local-State level — 
I think more, you know, just that you can get them interested. I 
mean. States are doing phenomenal things across all kinds of 
projects, especially in our State with a new data center. 
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It tends to be keeping them is the thing. They are great kids, 
and so we do. We go to the universities regularly, go to recruiting 
fairs regularly, and so — and we will continue both of those things. 

Mr. Meehan. Well, I want to say, I think on behalf of all of my 
colleagues here, we appreciate your service. In many ways you, as 
was articulated by one bit of testimony, are out of there on the tip 
of the spear, and the experiences that you have, as well, not only 
in what you are doing each day but by virtue of analyzing the na- 
ture of the threat and the challenges that we have, and then by 
taking the time to both prepare your testimony and be responsive 
to our questions helps us educate — helps you educate us to be your 
partners in working for better, more efficient, more effective ways 
to deal with what we all agree, I believe, is one of the great chal- 
lenges that we face here and an emerging and ever-changing na- 
ture of the threat, different from, in many ways, from those which 
we have been addressing over the course of the recent decade. 

So I thank the witnesses for your valuable testimony and the 
Members for their questions. The Members may have — from the 
subcommittee may have additional questions for the witnesses, and 
if they do we ask that you would take the time to respond in writ- 
ing. We are certainly free for any further follow-up information you 
would like to forward to us for the record. We will keep the record 
open for 10 days for that purpose. 

So without objection, the subcommittees stand adjourned. Thank 
you for your testimony. 

[Whereupon, at 11:52 a.m., the subcommittees were adjourned.] 
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Questions From Chairwoman Susan W. Brooks for Roberta Stempfley 

Question la. FEMA has a number of incident annexes to the National Response 
Framework, including a Cyber Incident Annex. The current Cyber Incident Annex 
was developed in 2004, nearly 10 years ago, when technology and the cyber threat 
were very different. 

The draft NCIRP states that it was developed in conjunction with the update of 
the Cyber Incident Annex. However, according to FEMA, the Annex has not yet 
been updated and will be not updated until later this fiscal year, with an antici- 
pated completion in fiscal year 2015. 

Will CS&C be involved in this update? 

Answer. The Office of Cybersecurity and Communications (CS&C), working with 
a broad set of partners, to include the Federal Emergency Management Agency, will 
continue to advance the dialogue around coordinated planning through development 
of operational playbooks and other planning frameworks. We anticipate that CS&C 
would be deeply involved in any updates to the National Response Framework’s 
Cyber Incident Annex. 

Question lb. In a broader sense, how do you work to coordinate cyber doctrine 
within the Department to ensure that the plans and procedures in place are up-to- 
date and applicable to the current threats we are facing? 

Answer. CS&C works with the Department of Homeland Security (DHS) Head- 
quarters and other DHS components on a continuous and on-going basis to coordi- 
nate cyber issues. Many of these interactions take place at the working level in 
order to keep pace with the dynamic cyber threat environment. There are weekly 
leadership meetings consisting of both internal DHS organizations as well as our 
interagency partners specifically to coordinate on cyber issues. 

In November 2011, DHS completed the Blueprint for a Secure Cyber Future: The 
Cybersecurity Strategy for the Homeland Security Enterprise (Blueprint). The Blue- 
print provides a process to create a safe, secure, and resilient cyber environment for 
the homeland. The Blueprint identified capabilities necessary to achieve DHS’s cy- 
bersecurity goals. The development of the Blueprint was truly a cross-organiza- 
tional, integrated process that brought together elements of the following compo- 
nents and sub-components of DHS: 

• DHS/NPPD Office of Strategy and Policy (S&P); 

• DHS/PLCY Office of Strategy, Policy, Analysis, and Risk (SPAR); 

• DHS/CFO Office of Program Analysis and Evaluation (PA&E); 

• DHS/Office of Intelligence and Analysis; 

• DHS/Office for Civil Rights and Civil Liberties (CRCL); 

• DHS/Office of Operations Coordination and Planning (OPS); 

• DHS/NPPD Office of Budget, Finance, and Acquisition; 

• DHS/NPPD Office of Cybersecurity and Communications (CS&C); 

• DHS/NPPD Office of Infrastructure Protection (IP); 

• DHS/Science and Technology Directorate (S&T). 

Accompanying the Blueprint is a Mission Management Plan that prioritizes the 
Blueprint capabilities that DHS will mature over the next several years. The Mis- 
sion Management Plan serves as a baseline for coordination and assignment of 
tasks based upon the capabilities and responsibilities across the Department. An ex- 
ample of this would be leveraging the skills and resources of the U.S. Secret Service 
along with Immigrations and Customs Enforcement to investigate cyber criminals. 
The results of these efforts are used internally within DHS as well as a baseline 
for discussions with our partners across the interagency. State, local. Tribal, and 
territorial governments and the private sector. 

Question 2a. In reviewing the National Cyber Incident Response Plan (NCIRP), 
I am a little unclear of the link and cooperation between the NCCIC and FEMA 
and have a couple questions regarding that link and cooperation. 

( 65 ) 
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Does FEMA currently have personnel that are stationed full-time at the NCCIC? 

Answer. The Federal Emergency Management Agency (FEMA) does not currently 
have personnel who are stationed full-time at the National Cybersecurity and Com- 
munications Integration Center (NCCIC). 

The DHS Office of Operations Coordination and Planning has a full-time em- 
ployee stationed at the NCCIC and another full-time employee stationed at the 
FEMA National Response Coordination Center (NRCC). The National Operations 
Center (NOC) is also staffed by a full-time desk officer from the NCCIC and another 
full-time desk officer from the FEMA NRCC. This exchange of personnel facilitates 
real-time coordination and collaboration in the event of a cyber-related incident. The 
NOC, NCCIC, and NRCC continuously share information and have access to the 
DHS Common Operating Picture (COP) for situational awareness. Additionally, the 
NOC receives and integrates daily reporting from the NCCIC and the NRCC. Also, 
the three operations centers conduct coordination calls at least three times daily via 
the NOC’s Operations Centers conference calls (NOC Blast Calls). 

Question 2b. If “YES”: Who is this person — from what office within FEMA? If 
“NO”: Do you think it would be a good idea to have a FEMA representative at the 
NCCIC? 

Answer. Recognizing the potential significance of a cyber-physical event and the 
value of close FEMA-NCCIC synchronization, staffs from the two organizations 
meet often to discuss planning and exercise activities and to maintain watch center- 
to-watch center communications. In response to Emergency Support Function-2 ac- 
tivations, NCCIC regularly deploys staff to FEMA operations centers. In the event 
of a significant cyber incident, FEMA would deploy appropriate staff to the NCCIC. 

Question 2c. How does the NCCIC communicate with FEMA on the potential 
threats the NCCIC is seeing and their possible consequences that may require 
FEMA to respond? 

Answer. NCCIC and FEMA communicate via watch center-to-watch center com- 
munications. FEMA receives NCCIC situational reports and awareness products, 
which highlight more significant cyber and communications incidents and the 
NCCIC receives FEMA situation reports on a recurring and routine basis. 

The DHS NOC, NCCIC, and NRCC all have access to the DHS Common Oper- 
ating Picture (COP) and Homeland Security Information Network (HSIN). The (50P 
and HSIN are the primary systems used for sharing and viewing Unclassified infor- 
mation along with other situational awareness products. Also, all three tmeration 
centers participate in coordination calls at least three times daily via the NOC’s Op- 
eration Centers conference calls (NOC Blast Calls). 

Question 3. The draft National Cyber Incident Response Plan (NCIRP) states that 
it “was developed in close coordination with Federal, State, local, territorial, and pri- 
vate-sector partners.” I am interested in hearing more about the Department’s out- 
reach process during the development of the NCIRP because we have heard from 
stakeholders that there wasn’t sufficient outreach and that this is more of a “Fed- 
eral plan” than a “National plan.” 

Answer. The Department of Homeland Security (DHS) developed the National 
Cyber Incident Response Plan (NCIRP) in close coordination with public and pri- 
vate-sector stakeholders. During the early stages of development, DHS asked for 
volunteers through the Cross-Sector Cyber Security Working Group (CSCSWG), 
which includes Federal and private-sector representatives from each of the critical 
infrastructure sectors and convenes under the auspices of the Critical Infrastructure 
Partnership Advisory Council. The Department also sought collaboration through 
intergovernmental partners, the information sharing and analysis organization com- 
munity and among Federal interagency partners. DHS drafted the document by 
sending out discussion papers — generally draft sections of the NCIRP starting with 
scope and purpose — and captured notes from subsequent discussions with public 
and private-sector participants. In addition to incorporating review comments into 
iterative drafts of the NCIRP, DHS also held table-top exercises and the Cyber 
Storm III National Exercise to further inform versions of the draft plan. Among the 
participants in the table-top exercises were the Information Technology Information 
Sharing and Analysis Center (ISAC), the Communications ISAC, the Financial Serv- 
ices ISAC), and the Multi-State ISA(? (MS-ISAC). The MS-ISAC) includes among its 
membership the chief information security officers from each of the 50 States as 
well as several U.S. territories and local (xovernment representatives. Cyber Storm 
III included participation from eight Cabinet-level departments, 13 States, 12 inter- 
national partners, and 60 private-sector companies and coordination bodies. To- 
gether, these entities participated in the design, execution, and post-exercise anal- 
ysis of the cyber exercise. Participation focused on the information technology, com- 
munications, energy (electric), chemical, and transportation critical infrastructure 
sectors and incorporated various levels of play from other critical infrastructure sec- 
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tors. In addition, Cyber Storm III included the participation of States, localities, and 
coordination bodies, such as ISACs, and international governments to examine and 
strengthen collective cyber preparedness and response capabilities. During the exer- 
cise, the participant set included 1,725 Cyber Storm Ill-specific system users. 

Questions From Chairwoman Susan W. Brooks for Charley English 

Question la. How are State officials responsible for cybersecurity and emergency 
management coordinating to ensure awareness of the cyber threats you face? 

Answer. The type and scope of coordination occurring between State officials re- 
sponsible for cybersecurity and emergency management officials vary widely by 
State. In a survey NEMA conducted in February 2013, we learned no clear best 
practice exists in assigning responsibility of coordination of resources to prepare for, 
respond to, or recovery from a cyber attack. Only 41.9 percent of States cited a spe- 
cific director. Of the 41.9 percent, responsibility ranges from the emergency manage- 
ment officials to IT, homeland security, and the fusion center. Where those respon- 
sibilities diverge, coordination occurs much in the same way as it would with any 
other all-hazards risk. 

Question lb. What support are you getting from DHS in that regard? 

Answer. Programmatic offices such as the Office of Cybersecurity and Commu- 
nications (CS&C) within DHS continue admirable work in their outreach to State 
and local officials. The larger challenge however is that the overall DHS effort, to 
include agencies such as FEMA, must be comprehensive and coordinated in order 
to ensure all the nuances of the threat and impact of consequences receive appro- 
priate attention. In recent years, as the issue of cybersecurity grows, agencies have 
a tendency to create niches within the Department instead of adopting a comprehen- 
sive approach. Without a cohesive strategy from the National level addressing the 
consequences of a cyber attack, we run the risk of being unprepared should an event 
occur. 

Question Ic. What more could they be doing? 

Answer. DHS must recognize the impacts of a cyber attack extend beyond public- 
private relationships or simply securing networks. To date, the Department offers 
little guidance on the potential depth and breadth of cyber consequences. A deeper 
analysis must be accomplished on current disaster-related statutes such as the Staf- 
ford Act to consider whether such attacks would be eligible for Federal assistance. 
If so, guidance must be provided to the States. If not, an on-going dialogue must 
occur so all interested parties understand the current limitations of State and local 
governments in these economically-constrained times. 

Question Id. Is there an 3 dhing Congress can do to help? 

Answer. As Congress considers legislative options, the needs of the State and 
locals ultimately responsible for the consequences of a cyber attack must be first 
and foremost. In May of last year, NEMA joined with nine other associations to ask 
Congress for your consideration of key principles and values when considering cy- 
bersecurity legislation. In addition to consideration of the principles and values. 
Congress must work with DHS ensuring all potential consequences of a cyber attack 
are thoroughly considered in appropriate authorities such as the Stafford Act. 

Question 2. A movie titled “American Blackout” that aired in October portrayed 
the physical consequences of a cyber attack on the electrical grid. One of the major 
issues highlighted was the impact on hospitals. 

I recently visited with representatives from a hospital in my district and we dis- 
cussed cybersecurity. The doctors, particularly those from the emergency depart- 
ment, are extremely concerned with their ability to function in the event of a cyber 
attack that impacts their power supply. This goes beyond medical records. They are 
very concerned about access to imaging technology that saves lives. 

In the event of a cyber incident that impacts the electric grid, how would emer- 
gency managers and cybersecurity professionals coordinate with each other and the 
private sector to determine how soon the problem could be fixed and in turn prop- 
erly identify necessary resources to assist hospitals beyond the generators and fuel 
they regularly keep on hand? 

Answer. We would typically treat this type of incident just as any other. Emer- 
gency managers operate in an all-hazard environment and would coordinate with 
the cybersecurity professionals as we would any other Emergency Support Function 
(ESF). The resources would be done the same way. There are many disasters that 
affect our power grid, from ice storms to major storm fronts. It takes a Federal-State 
coordinated approach to create and improve a threat-specific annex to State Emer- 
gency Operation Plans. Emergency management plans are intended to address im- 
pacts of all hazards, regardless of cause. 
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Question 3. States have repeatedly identified cybersecurity as the lowest core ca- 
pability in their State preparedness reports. To your knowledge, when developing 
this assessment, were State chief information officers or chief information security 
officers involved in the process? 

Answer. While the exact number is not known, the collaboration and inclusion be- 
tween chief information officers and emergency management officials is increasing 
due to the threat and the increasing awareness of the issue. For example, in the 
State of Ohio, the State Security Information Officer was involved in the responses 
to cybersecurity in the State preparedness report. In Arkansas, the Chief Informa- 
tion Officers as well as the Chief Information Security Officers are involved in the 
process of identifying core capabilities. 

Questions From Chairwoman Susan W. Brooks for Craig Orgeron 

Question la. How are State officials responsible for cybersecurity and emergency 
management coordinating to ensure awareness of the cyber threats you face? 

Answer. Coordination on cybersecurity varies drastically from State to State. This 
has to do with different models of State governance and centers of authority for cy- 
bersecurity response and emergency management. This is not only reflective of the 
different maturities regarding readiness to respond to cyber threats in the States, 
but also the diverse topography of State governments. There is increasingly coordi- 
nation between State CIOs with emergency managers and other agency officials re- 
garding disaster continuity, recovery, and emergency management. As referred to in 
my testimony, NASCIO’s 2013 State CIO Survey states: 

“Not surprisingly, disaster recovery and business continuity are issues that continue 
to receive increased attention in the State CIO community . . . We asked CIOs 
how they approached these initiatives within their State. As Figure 13 shows, al- 
most two-thirds of States pursue a federated strategy with responsibilities split be- 
tween the CIO and State departments and agencies.” 

Figure 13 

Please characterize the general approach to IT disaster recovery and business contanuity In state 
government 
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While our research shows increasing collaboration between State emergency man- 
agers and State CIOs, it is difficult to describe how a State would react to a cyber 
incident impacting a hospital as described in the question. The primary reason: 
With public-sector cybersecurity being such a nascent area. States have divergent 
governance and procedures in place to deal with significant attacks on critical infra- 
structure. Virtually every State has some means to provide support, whether 
through State police, its fusion center, or another State agency. 

Further complicating matters, data does not exist to make extensive claims to 
best practices when it comes to governance. While several States have held cyberse- 
curity exercises and learned from the experiences, the effectiveness of one govern- 
ance model over another has not been thoroughly and publicly tested by real-world 
events. 

Beyond this uncertainty, there are significant legal questions to be considered. For 
instance, a private hospital may not be able to take advantage of certain public re- 
sources. It is unclear a private entity could receive support from the National Guard 
without the declaration of a state of emergency by a Governor. Other questions 
come into play, as well: Legal liabilities, cyber forensics of a virtual crime scene, and 
more. The area simply has not been defined. The legal implications is an area that 
is ripe for Congress to explore. 

Question lb. What support are you getting from DHS in that regard? 

Answer. There are several venues and tools from DHS or funded by DHS that 
provide State governments with additional awareness of and support in thwarting 
cyber threats. Perhaps the most prominent of these are the National Cybersecurity 
and Communications Integration Center (NCICC), United States Computer Emer- 
gency Readiness Team (US-CERT), and Multi-State Information Sharing and Anal- 
ysis Center (MS-ISAC). Complementing and supporting State fusion centers and 
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similar technical support is also of significant value as long as DHS ensures it is 
supporting the State’s cybersecurity governance model. Broader efforts such as the 
National Initiative for Cybersecurity Education (NICE) are also vital for States to 
receive the type of talent they need to secure their systems, and should be ex- 
panded. 

Question Ic. What more could they be doing? 

Answer. In many States, neither Chief Information Officers nor their Chief Infor- 
mation Security Officers are cleared to the Top Secret level — only the Secret level. 
Therefore, they cannot receive vital information from the intelligence community on 
the most advanced international threats against our networks without explicit in- 
tention and additional pre-clearance. While DHS certainly would include a State 
CIO or his CISO in such a conversation, it is not so certain the rest of the intel- 
ligence community would know to reach out to the State CIO and clear them for 
such a briefing. This should be remedied. 

NASCIO hopes that greater information sharing and better tools to disseminate 
this information will be released as part of the implementation of Executive Order 
13636 and Presidential Policy Directive 21. NASCIO and its members are pleased 
with the on-going effort to provide greater declassification of cyber threat informa- 
tion as part of the EO, and look forward to seeing greater results. 

In addition, we believe the National Cyber Security Review could be followed up 
with the promise of Federal technical assistance to State and local participants who 
lag behind in vital areas. This will have the dual benefit of safeguarding citizen 
data and encouraging greater participation in National level vulnerability assess- 
ments. 

Efforts to provide support for cyber education among public employees in the 
States and broader social awareness of on-line threats, similar to public awareness 
campaigns in the vein of “see something, say something,” are also valuable. 

Question Id. Is there an 3 dhing Congress can do to help? 

Answer. While opportunities for limited Federal assistance for cyber threats have 
been included in the National Preparedness Grant Program (NPGP), its shrinking 
pool of resources coupled with a formulaic structure that favors hardening targets 
against attacks at the jurisdictional level means States typically only have enough 
funding to maintain legacy homeland security investments and administer grants 
to local governments. For NPGP to meet the current threats faced by our States and 
localities, changes will need to be made to this program by Congress. 

Greater resources for technical programs that support information sharing, tech- 
nical assistance, and cyber threat exercises would be valuable, as well. Efforts to 
increase the public sector cyber workforce, ranging from targeted initiatives such as 
the DHS National Initiative for Cybersecurity Education to supporting computer 
science education in schools at every level, are extremely valuable. Such programs 
should be expanded and supported — both for the sake of our Nation’s homeland se- 
curity and our economic security. Larger public service campaigns to increase 
knowledge of the risks on-line, in the model of “see something, say something” or 
“click-it or ticket” would help reduce risk to both public and private-sector networks. 

Question 2. As you may know, as a condition of receiving State Homeland Security 
Grant Program funding, the State Administrative Agency (SAA), which is usually 
either the State Homeland Security Advisor or Emergency Manager, must complete 
a Threat and Hazard Identification and Risk Assessment, which, as the name sug- 
gests, details threats and hazards facing each State. Some States, including my 
home State of Indiana, have included cybersecurity in their THIRAs. 

To your knowledge, have your colleagues been included in this process to ensure 
the SAAs have the best picture of the cyber threats they face? 

Answer. Unfortunately, NASCIO has no data on how many States include cyber- 
security in their THIRAs, and whether SAAs have included their State CIOs in the 
THIRA process. NASCIO will to review this question with its membership and at- 
tempt to provide the committee with a well-researched answer in the near future. 

Questions From Chairwoman Susan W. Brooks for Mike Sena 

Question la. Your fusion center is one of a small number of fusion centers in the 
National Network proactively incorporating cybersecurity into its mission. I applaud 
you and your fusion center’s efforts in this challenging environment. 

What Federal, State, and local partnerships have you developed to help the 
NCRIC contribute to this important mission? 

Answer. Response was not received at the time of publication. 

Question lb. What anal 3 d;ical products and situational awareness reports has the 
NCRIC produced? Do you have a sense as to how have these products been per- 
ceived by your partners? 
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Answer. Response was not received at the time of publication. 

Question Ic. How is the National Fusion Center Association working to advance 
cybersecurity efforts across the National Network? 

Answer. Response was not received at the time of publication. 

Question From Chairwoman Susan W. Brooks for Paul Molitor 

Question. Mr. Molitor, in your testimony you mention the NEMA Field Represent- 
ative Program. 

Would you please tell us more about this program and how, if at all, these experts 
are available as a resource to emergency management officials during an emer- 
gency? 

Answer. NEMA is the association of electrical equipment and medical imaging 
manufacturers, founded in 1926 and headquartered in Rosslyn, Virginia. Its 400- 
plus member companies manufacture a diverse set of products including power 
transmission and distribution equipment, lighting systems, factory automation and 
control systems, and medical diagnostic imaging systems. The U.S. electroindustry 
accounts for more than 7,000 manufacturing facilities, nearly 400,000 workers, and 
over $100 billion in total U.S. shipments. 

The NEMA Eield Representative Program is geared toward providing information 
and training to government officials (including building code officials, electrical in- 
spectors, and emergency managers), maintaining the lines of communications be- 
tween these individuals and the manufacturing community, and assisting in the 
wake of disasters. The relationships forged in advance of the disaster are invaluable 
in the ensuing confusion and turmoil. As advocates of safe electrical systems and 
installations, NEMA Field Representatives make a valuable contribution to public 
safety. 

NEMA has four Field Representatives located in regional offices around the coun- 
try. Their regions of coverage are aligned with the International Association of Elec- 
trical Inspectors (lAEI) Section Regions. The representatives are: 



(1) Mike Stone.— Region: AK, AZ, CA, HI, ID, MT, NV, NM, OR, UT, WA. 

(2) Donald Iverson.— Region: WY, CO, ND, SD, NE, KS, MN, lA, MO, AR, WI, 
IL, MI, IN, KY, OH, WV. 

(3) Paul Abernathy.— Region: TX, OK, LA, MS, TN, AL, EL, GA, SC, NC, VA. 

(4) Jack Lyons.— Region: ME, NH, VT, NY, MA, RI, CT, NJ, PA, MD, DE, DC. 

preparing for emergencies 

One of the most important functions of the field representatives is to support a 
3-year adoption cycle by States and local jurisdictions for National model building 
codes — including electrical, life safety, and energy — to coincide with the 3-year Na- 
tional revision cycles. These codes are: 

• NFPA 70 National Electrical Code; 



71 


. NFPA 101 Life Safety Code; 

• NFPA 99 Health Care Facilities Code; 

• NFPA 72 National Fire Alarm and Signaling Code; 

• NFPA 720 Carbon Monoxide Detection Code; 

• International Building Code (IBC); 

• International Residential Code (IRC); 

• International Energy Conservation Code (lECC); 

• International Green Construction Code (IgCC); 

• International Fire Code (IFC). 

National model building codes provide the blueprint for constructing residential, 
commercial, and institutional buildings and other structures. They prescribe the 
minimum safety and performance standards which allow occupants to live and oper- 
ate in a safe and optimally-performing building. Model building codes also prescribe 
the latest advancements in energy efficiency, resiliency in building structure, and 
life safety through the use of hazardous elements detection. The codes are revised 
through an open and transparent stakeholder process led by the International Code 
Council (ICC) and National Fire Protection Association (NFPA) every 3 years to in- 
corporate advances in safety and technology in homes and buildings. Therefore, 
timely adoption in accordance with the National model revision schedule is vitally 
important. 

Direct adoption and enforcement of the latest building codes every 3 years pro- 
vides: 

• enhanced safety to homeowners and building occupants through the use of the 
latest technology and knowledge in life safety (i.e., emergency lighting; fire, 
smoke, and carbon monoxide detection) and electrical hazard protection (i.e., arc 
fault circuit interrupters, ground fault circuit interrupters); 

• utilization of the latest advancements in technology, enabling the use of on-site 
energy generation for back-up power and for ensuring the structural integrity 
of buildings. 

Proper installation of electrical equipment is key to safety and resiliency. The 
NEMA Eield Representative Program provides training to State and local code offi- 
cials, inspectors, and installers on the latest codes and on the proper installation 
and use of NEMA member products. 

RECOVERING FROM DISASTERS 

While preparation is essential, loss of life and damage to property will inevitably 
occur. One responsibility of a NEMA Field Representative is to make himself avail- 
able to Government officials after a natural disaster. 

Because safety is of paramount importance to our member companies, all time, 
travel, and materials associated with the Field Representative Program is paid for 
by NEMA members. In years past, NEMA Field Representatives have visited areas 
destroyed by Hurricanes Irene, Katrina, and Sandy. They’ve also responded to both 
flood and snow emergencies in the Midwest, as well as the Colorado flood earlier 
this year. In January of 2010, NEMA offered its Field Representatives to assist in 
Haiti after its devastating earthquake. 

When disaster strikes, NEMA promotes a number of resources for public officials 
addressing major infrastructure damage. NEMA’s user-friendly Evaluating Water- 
Damaged Electrical Equipment ^ and Evaluating Fire- and Heat-Damaged Electrical 
Equipment ^ides are critical resources for protecting life and property after a dis- 
aster. Additionally, Storm Reconstruction: Rebuild Smart offers strategies for recon- 
structing electrical infrastructure in such a way that mitigates future disasters. All 
of these resources are available on NEMA’s website, www.nema.org. 

As rebuilding commences, NEMA Eield Representatives assist in solving problems 
involving the installation of NEMA member products by serving as intermediaries 
between Government officials and NEMA member companies. Decision makers 
should involve NEMA in the wake of disasters and a recent example highlights this. 

In the wake of Superstorm Sandy, the New Jersey Department of Consumer Af- 
fairs (DCA) issued a directive for installers. The DCA stated that for wiring that 
had been submerged under water, “If undamaged, no replacement is necessary.”^ 
This directive is at best unclear and the DCA implied on its web page the continued 
use of previously submerged wire is fine by stating that equipment was safe to use 
for 90 days. 


^http:! / www.nenm.org I Standards / Pages I Evaluating-Water-Damaged-Electrical-Equipment.- 
aspx#download. 

2 http:! ! www.nj.gov ! dca / divisions I codes i alerts ! pdfs ! hurricane sandy guidance 11 - 

2012.pdf. 
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This position does not comport with the NEMA recommendations in Evaluating 
Water-Damaged Electrical Equipment. 

The guide states: 

“Electrical equipment exposed to water can be extremely hazardous if reenergized 
without performing a proper evaluation and taking necessary actions. Reductions in 
integrity of electrical equipment due to moisture can affect the ability of the equip- 
ment to perform its intended function. Damage to electrical equipment can also re- 
sult from flood waters contaminated with chemicals, sewage, oil, and other debris, 
which will affect the integrity and performance of the equipment. Ocean water and 
salt spray can be particularly damaging due to the corrosive and conductive nature 
of the salt water residue. 

“4.6 Wire, Cable and Flexible Cords When any wire or cable product is exposed to 
water, any metallic component (such as the conductor, metallic shield, or armor) is 
subject to corrosion that can damage the component itself and/or cause termination 
failures. If water remains in medium voltage cable, it could accelerate insulation de- 
terioration, causing premature failure. Wire and cable listed for only dry locations 
may become a shock hazard when energized after being exposed to water. 

“Any recommendations for reconditioning wire and cable in Section 1.0 are based 
on the assumption that the water contains no high concentrations of chemicals, oils, 
etc. If it is suspected that the water has unusual contaminants, such as may be 
found in some floodwater, the manufacturer should be consulted before any decision 
is made to continue using any wire or cable products.” 

NEMA Eield Representatives expressed their objection to the DCA directive after 
it was issued, but NEMA’s concerns were not addressed, and have yet to be. Subse- 
quent to issuance of the directive, tragedy struck Seaside Park and Seaside Heights, 
New Jersey, when more than 50 businesses on the boardwalk were destroyed by 
fire. Investigators have ruled the fire accidental and believe electrical wiring that 
had been submerged by seawater during Superstorm Sandy is the culprit. 

NEMA continues to advocate for electrical safety in New Jersey and across the 
country. 
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